From Newsgroup: alt.msdos.batch

Below is a working Windows custom proxy client I built over the past month.

If you use the same paths & freeware that I'm using, then I see no reason
it wouldn't work for you, out of the box, after you install these tools:

Psiphon freeware: (encrypted socks5 proxy server to bypass censorship)
<https://psiphon.ca/>
Name: psiphon3.exe
Size: 10402576 bytes (10158 KiB)
SHA256: DB1BAF76F0333F4743919A86F35037559F9E7DA7DF14982DFC16FB8DC0BE6BE2

Mongoose freeware: (single-binary lightweight local http/https server)
<https://mongoose.ws/binary/>
Name: mongoose.exe
Size: 110592 bytes (108 KiB)
SHA256: 7F0BE618842767D9C83D9607139334F454447FDF822A5404DC9AC7EDFCAB856B

Specifically only these external freeware executables are currently used:
psiphon3.exe (acts as the SOCKS5 proxy engine)
mongoose.vbs (serves the proxy.pac file via HTTP)

While these built-in Windows tools & commands are used in the script:
curl.exe (verifies the custom PAC file is available)
cscript.exe (runs the mongoose setup & launching VBScript)
net session ( checks if the script is running with admin rights)
powershell.exe -Verb RunAs (requests UAC elevation if needed)
netsh.exe (imports & syncs proxy settings from WinINet into WinHTTP)
reg.exe (writes registry values for AutoConfigURL and AutoDetect)

Tutorial:
Build a one-click Windows custom SOCKS5 proxy client using freeware

I've been building a privacy-focused proxy client for about a month which
has been a sudden deep dive into areas I hadn't touched in decades.

I hadn't seriously looked at proxies since around 2001, back when tools
like Proxifier were used to route traffic through TOR manually,
long before the Tor Browser bundled everything into a single click.

Back then, you'd launch TOR as a background service, configure Proxifier to redirect specific apps through a local SOCKS port and hope nothing leaked outside the tunnel.

Fast-forward to now and proxy configuration in Windows has become a multi-headed beast, with multiple API & networking stacks to deal with.

Modern Windows environments don't rely on a single unified proxy setting. Instead, they use multiple proxy stacks, each serving different types of applications and services. That means if you want consistent behavior
across browsers, system services, and modern apps, you can't just set a
proxy once and expect it to work everywhere.

Unfortunately, if you want it to be a single push-button (which is how I do everything, even clicking browser cookie-delete buttons automatically), you need scripts that interact with the registry, manipulate system settings,
and coordinate across stacks to make proxy setup a one-click operation.

On my Windows 10 Pro box, typical proxy settings live in places like:
a. Win+I > Settings > Network & Internet > Proxy
b. Win+R > control > Internet Options > Connections > LAN Settings
c. And Group Policy or registry edits for deeper control

Windows doesn't use a single unified proxy configuration. Instead, it has multiple proxy stacks, each used by different types of applications.
1. WinINet Stack
2. WinHTTP Stack
3. WPAD + PAC Files (used for auto-discovery and dynamic proxy logic)
4. Modern App Stack (Windows Runtime / UWP)
5. Custom Proxy Clients (scripts that can also bypass Windows stacks)

Examples of how these stacks are used:
a. WinINet is used by Internet Explorer and Chrome
b. WinHTTP is what Windows Update relies on
c. WPAD and PAC files are used by WinINet apps like Chrome & Firefox
d. UWP apps like Microsoft Store & Mail use the Modern App Stack
e. Tools like Proxifier, SocksCap, FreeCap, WideCap, ProxyCap,
SocksEscort, ShadowSocks, Psiphon, or in my case, a custom batch
script can act as freeware custom proxy clients on Windows 10.

For this tutorial, a custom proxy client can be any tool or script that:
A. Launches or manages a proxy service
B. Configures system or app-level proxy settings
C. Handles traffic & proxy logic independently of Windows' built-in stacks

Below is an example of my own script-driven proxy client which...
A. Bridges Psiphon with Windows proxy stacks,
B. Serves & applies PAC logic (with CoPilot, GMail & Amazon Vine bypass),
C. Syncs across WinINet & WinHTTP proxy stacks,
D. and handles Admin elevation (e.g., for regedits) & status logging.

These are a half dozen actions that the custom proxy client does...
1. Launches a freeware SOCKS5 proxy engine (Psiphon in SOCKS mode)
2. Serves a custom PAC file over HTTP/HTTPS before launching Psiphon
3. Applies proxy logic once Psiphon is running
4. Syncs proxy settings across stacks (WinINet > WinHTTP)
5. Handles elevation & logging if not already running as admin
6. Keeps the shell open so we can see what happened

Specifically, in my Windows 10 environment, the script below...
1. Starts psiphon3.exe in SOCKS mode which provides a local SOCKS5
proxy tunnel, which apps can use to route traffic through
Psiphon's encrypted network.
2. Runs mongoose.vbs to serve a proxy.pac file over HTTP at
http://127.0.0.1/proxy.pac. It waits a couple seconds,
then uses curl to verify the PAC file is actually available
before continuing.
3. Calls pac.cmd, which sets up the system to use the PAC file.
It also directly sets the PAC URL and enables Auto-Detect
in the registry under:
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
4. Runs "netsh winhttp import proxy source=ie" which copies the
static proxy settings from WinINet into WinHTTP
Note: It smartly avoids transferring SOCKS or PAC logic
to WinHTTP, since WinHTTP doesn't support those.
5. Relaunches itself with UAC elevation & logs activity to proxy.log,
including timestamps when PAC logic is triggered.
6. Pauses at the end so you can see what happened.

I'm sure there will be improvements, but here's the current status after
using it for about a month (ever since Epic Privacy Browser went bust).

::START: You type Win+R -> psiphon
:: |
:: v
::psiphon.bat
:: - Check if running as admin
:: - If not, request UAC elevation and restart
:: - Launch mongoose.vbs to serve proxy.pac (moved earlier in v1.8)
:: - Wait 2 seconds for Mongoose to initialize (added in v1.8)
:: - Echo "waiting for mongoose..." during delay (added in v1.9)
:: - Verify PAC file is accessible via curl (added in v1.8)
:: - Launch psiphon3.exe in SOCKS mode
:: - Wait 5 seconds for Psiphon to initialize
:: - Log that pac.cmd is being run
:: - Call pac.cmd /silent
:: |
:: v
:: pac.cmd
:: - Log run
:: - Run proxy.cmd /sync to align WinINET -> WinHTTP
:: - Capture current PAC URL and Auto-Detect status
:: - If missing or wrong, call proxy.cmd with PAC URL
:: - Force set PAC URL and Auto-Detect in registry
:: - Re-capture status so final display is accurate
:: - Show final PAC and Auto-Detect status
:: - Return to psiphon.bat
:: - Force set PAC URL and Auto-Detect again (double guarantee)
:: - Pause for user to see output
:: - Exit without closing parent shell
::END

Here's my main custom proxy client script, verbatim, using my own paths, so please realize this is a working script that I use every day to perform the actions above on my Windows 10 Pro Pc. Note that I will necessarily need to send the companion scripts separately since this is already a long post.

@echo off
REM C:\data\sys\batch\psiphon.bat version 1.0 20250819
REM This is psiphon.bat version 2.1 (118 lines)
REM Runs "C:\app\network\psiphon\psiphon3.exe" -mode=socks
REM This method leaves windows open.
REM %comspec% /k C:\app\network\psiphon\psiphon3.exe -mode=socks
REM This method closes windows.
REM psiphon.bat version 1.1 20250916
REM Added automatic PAC sync/apply after Psiphon launch
REM psiphon.bat version 1.2 20250916
REM Added logging to proxy.log when PAC is triggered from psiphon
REM psiphon.bat version 1.3 20250916
REM Added optional pause for viewing output before closing
REM psiphon.bat version 1.4 20250916
REM Changed to never close parent cmd window and always pause at end
REM psiphon.bat version 1.5 20250916
REM Added self-elevation to request UAC if not already admin
REM psiphon.bat version 1.6 20250916
REM Added final PAC URL + Auto-Detect set to ensure persistence
REM after Psiphon/proxy changes
REM psiphon.bat version 1.7 20250917
REM Added launch of mongoose.vbs to serve proxy.pac before PAC logic
REM psiphon.bat version 1.8 20250917
REM Reordered launch sequence: Mongoose now starts BEFORE Psiphon
REM Added PAC availability check using curl
REM Added 2-second wait after Mongoose launch to ensure readiness
REM psiphon.bat version 1.9 20250917
REM Error: PAC file not available. Aborting. Press any key to continue
REM Increased delay from 2 to 4 to give Mongoose more time to bind & serve
REM psiphon.bat version 2.0 20250917 (111 lines)
REM Decreased delay back to 2 as it didn't make a difference
REM Added echo message during Mongoose wait to indicate progress
REM psiphon.bat version 2.1 20250917 (118 lines)
REM Expanded Psiphonos reach to WinHTTP apps without compromising WinINET apps
REM By adding Automatic Sync of WinINET to WinHTTP (e.g., for Windows
Update)
REM Transfers only the Psiphon-injected static HTTP/HTTPS proxy address
REM Does not transfer PAC logic and SOCKS settings from WinInet to WinHTTP

:: --- Elevate to admin if not already ---

nul 2>&1 net session

if %errorlevel% neq 0 (
echo Requesting administrative privileges...
powershell -Command "Start-Process '%~f0' -Verb RunAs"
exit /b
)

REM Launch Mongoose silently to serve proxy.pac
cscript //nologo "C:\data\sys\batch\launchmongoose.vbs"

REM Wait for Mongoose to initialize (added in v1.8)
echo waiting for mongoose... (added in v2.0)
timeout /t 2 /nobreak >nul

REM Verify PAC file is available before proceeding (added in v1.8)
curl --silent --fail http://127.0.0.1/proxy.pac >nul || (
echo PAC file not available. Aborting.
pause
exit /b
)

REM Launch Psiphon in SOCKS mode
start "" /D "C:\app\network\psiphon" psiphon3.exe -mode=socks

REM Wait a few seconds for Psiphon to initialize
timeout /t 5 /nobreak >nul

REM Log that PAC is being run from psiphon
echo [%DATE% %TIME%] pac.cmd triggered from psiphon.bat >> C:\data\sys\log\proxy.log

REM Apply PAC logic automatically (silent mode)
call "C:\data\sys\batch\pac.cmd" /silent

REM Force PAC URL and Auto-Detect to desired values at the very end
REM This ensures Psiphon or proxy sync cannot leave them unset
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings"
/v AutoConfigURL /t REG_SZ /d http://127.0.0.1/proxy.pac /f >nul
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings"
/v AutoDetect /t REG_DWORD /d 1 /f >nul

REM Sync WinINET proxy settings into WinHTTP (added in v2.1)
netsh winhttp import proxy source=ie

REM Always pause so you can see output if run from a console
echo.
echo Press any key to close...
pause >nul

REM End batch without killing the shell
exit /b

Note that I will post working companion scripts following this overview.
--
Kindly donated to the Usenet community, as always, for others to benefit.
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: alt.msdos.batch

Marion wrote:

Tutorial:
Build a one-click Windows custom SOCKS5 proxy client using freeware
Note that I will post working companion scripts following this overview.

The companion blocks psiphon.bat uses are listed below:
1. proxy.cmd
registry sync helper that reads and writes WinINet & WinHTTP settings
2. pac.cmd
PAC file installer that calls proxy.cmd to enforce AutoConfigURL
and AutoDetect so that these three domains are bypassed
Amazon Vine (https://amazon.com/vine/about)
Google Gmail (https://mail.google.com)
Microsoft (https://copilot.microsoft.com)
These are bypassed since they hate proxies like they hate VPN.
3. launchmongoose.vbs
Launches a lightweight HTTP server that serves proxy.pac to localhost
4. psiphon.bat
The main proxy client which elevates to admin, starts mongoose,
launches Psiphon, applies PAC logic, syncs to WinHTTP & logs activity

Bearing in mind everything you do on WIndows more than once is to be made
into a single click, each of these commands runs standalone when needed.
Win+R > proxy
Win+R > pac
Win+R > mongoose
Win+R > psiphon
These single-point activators are made possible by the App Paths key:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\<name>.exe

For reference, here is the general flow so you can see where each is run.
::START: Win+R -> psiphon (uses App Paths registry key)
:: |
:: v
::psiphon.bat
:: - Check if running as admin
:: - If not, request UAC elevation and restart
:: - Launch launchmongoose.vbs to start Mongoose HTTP server
:: - Serve proxy.pac at http://127.0.0.1/proxy.pac
:: - Wait 2 seconds for Mongoose to initialize
:: - Verify PAC file is available using curl
:: - If PAC file is not available, abort
:: - Launch psiphon3.exe in SOCKS mode
:: - Wait 5 seconds for Psiphon to initialize
:: - Log that pac.cmd is being run
:: - Call pac.cmd /silent
:: |
:: v
:: pac.cmd
:: - Log run
:: - Run proxy.cmd /sync to align WinINET -> WinHTTP
:: - Capture current PAC URL and Auto-Detect status
:: - If missing or wrong, call proxy.cmd with PAC URL
:: - Force set PAC URL and Auto-Detect in registry
:: - Show final PAC and Auto-Detect status
:: - Return to psiphon.bat
:: - Force set PAC URL and Auto-Detect again (double guarantee)
:: - Pause for user to see output
:: - Exit without closing parent shell
::END

Here is my working Win_R > proxy (proxy.cmd) source file:
@echo off
REM C:\data\sys\batch\proxy.cmd 20250902
REM This is version 2.2
REM Proxy diagnostic & config tool for WinINET, WinHTTP, PAC
REM C:\data\sys\batch\proxy.cmd v2.1 - 20250916
REM Changes in v2.1 (20250916):
REM Added conditional check before importing WinINET into WinHTTP
REM to avoid overwriting existing settings unnecessarily
REM Added PAC file existence check before setting PAC URL
REM Updated pause prompts to clarify Enter, Spacebar, or any key works
REM C:\data\sys\batch\proxy.cmd v2.2 - 20250916 (224 lines)
REM Changed final exit to exit /b to avoid closing parent cmd window

REM Usage:
REM Win+R > proxy
REM Win+R > proxy /help
REM Win+R > proxy /sync
REM Win+R > proxy http://url.pac
REM Win+R > proxy /nopac
REM Win+R > proxy /status
REM Win+R > proxy /reset
REM Win+R > proxy /silent
REM Win+R > proxy /silent /sync

REM Proxy types:
REM Type 1: WinINET - IE, Edge, MS Office, most apps
REM Type 2: WinHTTP - system services like Windows Update
REM Type 3: PAC/AutoDetect - Chrome, Edge, Firefox (if set to use system proxy)

REM Show usage
if /i "%~1"=="/help" (
echo Usage:
echo proxy
echo proxy /sync
echo proxy http://...
echo proxy /nopac
echo proxy /status
echo proxy /reset
echo proxy /silent ...
exit /b
)

REM Log command
set LOG=C:\data\sys\log\proxy.log
echo [%DATE% %TIME%] %cmdcmdline% >> %LOG%

REM Begin scoped env
setlocal

set KEY="HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings"

REM Detect /silent flag
if /i "%~1"=="/silent" (
set SILENT=1
shift
)

REM /reset flag
if /i "%~1"=="/reset" (
echo Reset proxy settings...
reg delete %KEY% /v ProxyEnable /f >nul 2>&1
reg delete %KEY% /v ProxyServer /f >nul 2>&1
reg delete %KEY% /v AutoConfigURL /f >nul
reg add %KEY% /v AutoDetect /t REG_DWORD /d 0 /f >nul
netsh winhttp reset proxy >nul 2>&1
echo Proxy settings cleared.
goto SHOWCONFIG
)

REM /status flag
if /i "%~1"=="/status" (
echo Show proxy config...
goto SHOWCONFIG
)

REM /sync flag
if /i "%~1"=="/sync" (
echo Sync WinINET into WinHTTP...
REM Check if WinHTTP proxy is already set before importing
for /f "tokens=1,* delims=:" %%A in ('netsh winhttp show proxy ^| findstr /R /C:"Proxy Server(s)"') do set curWinHTTP=%%B
set curWinHTTP=%curWinHTTP:~1%
if "%curWinHTTP%"=="" (
netsh winhttp import proxy source=ie
if errorlevel 1 (
echo ERROR: Access denied. Run as admin.
)
echo Done.
) else (
echo WinHTTP proxy already set, skipping import.
)
goto SHOWCONFIG
)

REM /nopac flag
if /i "%~1"=="/nopac" (
echo Disable PAC & Auto-Detect...
reg delete %KEY% /v AutoConfigURL /f >nul 2>&1
reg add %KEY% /v AutoDetect /t REG_DWORD /d 0 /f >nul
echo PAC & Auto-Detect disabled.
goto SHOWCONFIG
)

REM Set PAC URL
if not "%~1"=="" (
echo Set PAC URL: %~1
REM PAC file existence check if URL is local file or localhost
for /f "tokens=1 delims=:" %%P in ("%~1") do set PACPROTO=%%P
if /i "%PACPROTO%"=="http" (
REM If localhost PAC, check file existence
echo %~1 | findstr /I "127.0.0.1" >nul
if not errorlevel 1 (
for /f "tokens=2 delims=:" %%H in ("%~1") do set PACPORTPATH=%%H
REM Remove leading slashes
set PACPORTPATH=%PACPORTPATH:/=%
REM Adjust path if needed (user must ensure correct mapping)
if not exist "C:\data\sys\pac\proxy.pac" (
echo WARNING: PAC file not found at C:\data\sys\pac\proxy.pac
)
)
)
reg add %KEY% /v AutoConfigURL /t REG_SZ /d %~1 /f >nul
reg add %KEY% /v AutoDetect /t REG_DWORD /d 1 /f >nul
)

REM Diagnostic output
:SHOWCONFIG
echo ============================================
echo WINDOWS PROXY CONFIG CHECK
REM Avoid slash to prevent parsing bug
echo ============================================

REM WinINET status
echo.
echo [1] WinINET
for /f "tokens=2,* skip=2" %%A in ('reg query %KEY% /v ProxyEnable 2^>nul') do set ProxyEnable=%%B
for /f "tokens=2,* skip=2" %%A in ('reg query %KEY% /v ProxyServer 2^>nul') do set ProxyServer=%%B
if "%ProxyEnable%"=="0x1" (
echo Proxy ENABLED
echo Server: %ProxyServer%
) else (
echo Proxy DISABLED
)

REM WinHTTP status
echo.
echo [2] WinHTTP
for /f "tokens=1,* delims=:" %%A in ('netsh winhttp show proxy ^| findstr /R /C:"Proxy Server(s)"') do set curWinHTTP=%%B
set curWinHTTP=%curWinHTTP:~1%
if "%curWinHTTP%"=="" (
echo No WinHTTP proxy - import from WinINET...
netsh winhttp import proxy source=ie >nul 2>&1
) else (
echo WinHTTP proxy already set
)
netsh winhttp show proxy

REM PAC status
echo.
echo [3] PAC / AutoDetect
for /f "tokens=2,* skip=2" %%A in ('reg query %KEY% /v AutoConfigURL 2^>nul') do set PACurl=%%B
for /f "tokens=2,* skip=2" %%A in ('reg query %KEY% /v AutoDetect 2^>nul') do set AutoDetect=%%B
if defined PACurl (
echo PAC URL: %PACurl%
) else (
echo No PAC URL
)

REM PAC logic summary
if /i "%PACurl%"=="http://127.0.0.1/proxy.pac" (
echo PAC logic: Bypass Gmail, Amazon, Copilot
echo Other traffic via SOCKS proxy 127.0.0.1:1080
)

if "%AutoDetect%"=="0x1" (
echo Auto-Detect ENABLED
) else (
echo Auto-Detect DISABLED
)

echo.
echo ============================================
echo Proxy check complete
echo ============================================

endlocal

REM Final pause unless /silent
if not defined SILENT (
echo.
echo Press Enter, Spacebar, or any key to close...
pause >nul
)

exit /b
--
Some people are kind hearted enough to ensure others always benefit.
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: alt.msdos.batch

Marion wrote:

Tutorial:
Build a one-click Windows custom SOCKS5 proxy client using freeware
Note that I will post working companion scripts following this overview.

While companion blocks are listed below, some are optional.
1. proxy.cmd (posted)
registry sync helper that reads and writes WinINet & WinHTTP settings
2. pac.cmd (to be posted)
PAC file installer that calls proxy.cmd to enforce AutoConfigURL
and AutoDetect so that these three domains are bypassed
Amazon Vine (https://amazon.com/vine/about)
Google Gmail (https://mail.google.com)
Microsoft (https://copilot.microsoft.com)
These are bypassed since they hate proxies like they hate VPN.
3. launchmongoose.vbs (posted below)
Launches a lightweight HTTP server that serves proxy.pac to localhost
4. psiphon.bat (posted in the original post opening up this thread)
The main proxy client which elevates to admin, starts mongoose,
launches Psiphon, applies PAC logic, syncs to WinHTTP & logs activity

In keeping with the idea that anything you do more than once on Windows
should be tied to a single click, launchmongoose.vbs is an optional helper that silently starts the Mongoose web server in the correct working
directory so it can host proxy.pac at http://127.0.0.1. It only launches if mongoose.exe is not already running and logs the result to mongoose.log.

Keep in mind that this custom proxy client works fine without Mongoose
because Psiphon in SOCKS5 mode does not require a PAC file to be served
over HTTP (that is, the PAC URL in the registry can point to a local file
path or direct proxy settings as it doesn't need to be served over HTTP).

The benefit of adding the lightweight Mongoose web server was that mongoose
is an easy way to serve the PAC file over HTTP before Psiphon starts.

This allows:
a. The PAC URL in WinINet and WinHTTP to point to a live file
at http://127.0.0.1/proxy.pac
b. Any app or service that supports PAC files to fetch proxy
rules immediately without using an external server
c. Custom bypass logic such as skipping Amazon Vine, Gmail
and Microsoft Copilot to be applied system wide
d. The PAC file to remain available even if Psiphon changes
network routes because the PAC file is hosted locally

In short, the launching of Mongoose turns my custom proxy client setup from just a SOCKS5 tunnel into a more-self-contained proxy service with dynamic routing rules, making PAC logic work reliably across all stacks & apps.

With that backround in mind, here's the OPTIONAL mongoose-launch script.
' ============================================
' launchmongoose.vbs 20250916 version 1.0
' This is version 1.5
' ============================================
' Version History:
' 1.0 - 20250916 Initial silent launch
' 1.1 - 20250916 Added process check and logging
' 1.2 - 20250916 Fixed duplicate End If error
' 1.3 - 20250916 Added version header block, cleaned structure
' 1.4 - 20250916 Removed unconditional launch
' Now launches only if not running
' 1.5 - 20250916 Updated launch command to explicitly set working directory
' ============================================
' Serves C:\data\sys\batch\proxy.pac as http & https
' Launch using: cscript //nologo launchmongoose.vbs
' Test using: curl http://127.0.0.1/proxy.pac
' Testing using: type mongoose.log
' Or just use: tasklist /fi "imagename eq mongoose.exe"
' Kill using: taskkill /f /im mongoose.exe
' Test this script: cscript //nologo "C:\data\sys\batch\launchmongoose.vbs"
' ==============================
' Added in version 1.1
' ==============================
' Features:
' - Skips launch if mongoose.exe is already running
' - Logs launch attempts to mongoose.log
' ==============================
' Fixed in version 1.2
' ==============================
' got rid of errors
' ==============================
' Improved in version 1.4
' ==============================
' Removed unconditional launch from version 1.0
' ==============================
' Improved in version 1.5
' ==============================
' Due to error: PAC file not available.
' Added explicit path to Mongoose launch
' WshShell.Run """C:\data\sys\batch\mongoose.exe"" -l http://127.0.0.1:80 -d C:\data\sys\batch", 0, False
' This ensures proxy.pac is served correctly regardless of current working directory
' ==============================

Set WshShell = CreateObject("WScript.Shell")

Set execCheck = WshShell.Exec("cmd /c tasklist /fi ""imagename eq mongoose.exe"" | find /i ""mongoose.exe""")
If execCheck.StdOut.ReadAll = "" Then
' Mongoose is not running, launch silently
WshShell.Run """C:\data\sys\batch\mongoose.exe"" -l http://127.0.0.1:80 -d C:\data\sys\batch", 0, False

' Log the launch
WshShell.Run """cmd.exe"" /c echo [" & Date & " " & Time & "] Mongoose launched >> C:\data\sys\batch\mongoose.log", 0, False
Else
' Mongoose is already running, skip launch
WshShell.Run """cmd.exe"" /c echo [" & Date & " " & Time & "] Mongoose already running >> C:\data\sys\batch\mongoose.log", 0, False
End If

Note I tested caddy, miniweb, mongoose & python before settling on mongoose.
--
Note that Amazon Vine gives me tens of thousands of dollars worth of "free stuff" every year so I needed to keep them happy since they hated proxies.
<https://amazon.com/vine/about>
And GMail was barfing as were all the AI's, but Copilot is a M$ tool,
so it's added here (you'll likely want to add all the AI URls to it).
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: alt.msdos.batch

Marion wrote:

Tutorial:
Build a one-click Windows custom SOCKS5 proxy client using freeware
Note that I will post working companion scripts following this overview.

While companion blocks are listed below, some are optional.
1. proxy.cmd (previously posted)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\proxy.exe
registry sync helper that reads and writes WinINet & WinHTTP settings

2. pac.cmd (posted below)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\pac.exe
PAC file installer that calls proxy.cmd to enforce AutoConfigURL
and AutoDetect so that these three domains are bypassed
Amazon Vine (https://amazon.com/vine/about)
Google Gmail (https://mail.google.com)
Microsoft (https://copilot.microsoft.com)
These are bypassed since they hate proxies like they hate VPN.

3. launchmongoose.vbs (previously posted)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\mongoose.exe
Launches a lightweight HTTP server that serves proxy.pac to localhost

4. psiphon.bat (previously posted in the original post of this thread)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\psiphon.exe
The main proxy client which elevates to admin, starts mongoose,
launches Psiphon, applies PAC logic, syncs to WinHTTP & logs activity

In contrast with the previous post where mongoose was added just yesterday
as an OPTIONAL helper to serve PAC files over HTTP, probably the one script that I've spent the most time on in this month-long effort is this pac.cmd, which is a helper script that makes sure the system is using the correct
PAC file, PAC URL and Auto-Detect settings after Psiphon starts.

This pac.cmd script (which can be run from "Win+R > pac" if needed, is
called by the main psiphon.bat custom proxy client in order to sync WinINet proxy settings into WinHTTP. What it does is it checks the current PAC configuration and applies changes if needed. It can also intelligently
force the PAC URL and Auto-Detect registry keys so they stay set even if Windows fails to fetch the PAC file. That took a while to get timing right.

It then logs its actions even as it can run silently and it shows the final PAC status so we know when proxy logic is active across both stacks.

@echo off
REM C:\data\sys\batch\pac.cmd (This is version 3.0)
REM Single command: Win+R > pac
REM HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\pac.exe
REM C:\data\sys\batch\pac.cmd v1p6_20250902
REM Sync WinHTTP proxy & apply PAC logic
REM Used after Psiphon starts to align proxy layers
REM C:\data\sys\batch\pac.cmd v1p7_20250916
REM Changes in v1.7 (20250916):
REM After applying PAC, capture proxy.cmd /status to a temp file
REM Parse PAC URL & Auto-Detect status from proxy.cmd output
REM Display parsed results instead of static PAC summary
REM C:\data\sys\batch\pac.cmd v1p8_20250916
REM Added PACURL variable at top for easy change
REM Improved /silent handling to work in any argument position
REM C:\data\sys\batch\pac.cmd v1p9_20250916
REM Fixed capture logic so temp file is created before parsing
REM C:\data\sys\batch\pac.cmd v2.0_20250916
REM Skips PAC apply step if PAC URL and Auto-Detect are already correct
REM C:\data\sys\batch\pac.cmd v2.1_20250916
REM Added note this may be called automatically from psiphon.bat v1.2
REM Added detection/logging if called from psiphon.bat
REM C:\data\sys\batch\pac.cmd v2.2_20250916
REM Added forced PAC set suggestion
REM C:\data\sys\batch\pac.cmd v2.3_20250916
REM Now always forces PAC URL + Auto-Detect to ensure persistence
REM C:\data\sys\batch\pac.cmd v2.4_20250916
REM Added re-capture of status after forcing PAC for accurate display
REM C:\data\sys\batch\pac.cmd v2.5_20250916
REM Verified re-capture placement after reg add to fix stale display bug
REM C:\data\sys\batch\pac.cmd v2.9_20250916
REM Hard-coded TEMPSTATUS to C:\tmp\pac_status.txt
REM Removed deletion of TEMPSTATUS at end
REM Section-aware parsing of PAC/AutoDetect block with /B matching
REM C:\data\sys\batch\pac.cmd v3.0_20250917 (242 lines)
REM Moved PAC registry enforcement into apply block
REM so proxy.cmd reflects correct status immediately
REM Added fallback enforcement even when PAC is already correct
:: Normally the pac file is served by a web server.
:: This script does not rely on Windows successfully fetching the PAC file
:: via HTTP. Instead, it Sets the registry key to point to the PAC URL
:: It assumes the PAC logic is known & trusted.
:: It uses proxy.cmd to apply proxy settings directly,
:: bypassing the need for Windows to interpret the PAC file
:: So even if http://127.0.0.1/proxy.pac is not actually being served
:: by a web server, the system still behaves as if it is because the
:: tooling here enforces the logic manually.
:: This is where Windows typically looks for the PAC script URL.
:: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
:: AutoConfigURL = http://127.0.0.1/proxy.pac
:: That tells Windows to fetch the PAC file from your own machine via HTTP
:: http://127.0.0.1/proxy.pac
:: C:\data\sys\batch\proxy.pac
:: curl http://127.0.0.1/proxy.pac
::
:: You could point to the actual pac file but that is less universal
:: AutoConfigURL = file:///C:/data/sys/batch/proxy.pac
::
:: C:\app\network\psiphon\psiphon3.exe -mode=socks
:: Win+R > control > Internet Options > Connections > LAN Settings
:: Automatic configuration
:: [x]Automatically detect settings
:: [x]Use automatic configuration script
:: Address http://127.0.0.1/proxy.pac
:: Proxy server
:: [x]Use a proxy server for your LAN
:: [x]Bypass proxy server for local addresses
::
:: Win+I > Settings > Network & Internet > Proxy > Manual proxy setup = on
:: Automatic proxy setup
:: Automatically detect settings = on
:: Use setup script = on
:: Script address = http://127.0.0.1/proxy.pac
:: Manual proxy setup
:: Use a proxy server = on
:: Address http=127.0.0.1:3736;https=127.0.0.1:3736;socks=127.0.0.1:1080
:: Port = <blank>
:: Use the proxy server except for addresses that start with the following entries. Use semicolons (;) to separate entries.
:: 10.*;172.16.*;172.17.*;172.18.*;172.19.*;172.20.*;172.21.*;172.22.*;172.23.*;172.24.*;172.25.*;172.26.*;172.27.*;172.28.*;172.29.*;172.30.*;172.31.*;192.168.*;169.254.*;[fc*];[fd*];[fe8*];[fe9*];[fea*];[feb*]
:: [x]Do not use the proxy server for local intranet addresses
::
:: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
:: AutoConfigURL = http://127.0.0.1/proxy.pac
::
:: C:\data\sys\batch\proxy.pac
::

REM PAC URL variable
set "PACURL=http://127.0.0.1/proxy.pac"

REM Detect /silent flag anywhere in args
set SILENT=
for %%A in (%*) do (
if /i "%%A"=="/silent" set SILENT=1
)

REM Detect if called from psiphon.bat
echo %CMDCMDLINE% | find /I "psiphon.bat" >nul
if not errorlevel 1 (
echo [%DATE% %TIME%] pac.cmd detected it was called from psiphon.bat >> C:\data\sys\log\proxy.log
)

REM Log start
echo [%DATE% %TIME%] Run pac.cmd %* >> C:\data\sys\log\proxy.log

REM /status flag
for %%A in (%*) do (
if /i "%%A"=="/status" (
start "" "C:\data\sys\batch\proxy.cmd" /silent /status
exit /b
)
)

REM /nopac flag
for %%A in (%*) do (
if /i "%%A"=="/nopac" (
echo Disable PAC & Auto-Detect...
start "" "C:\data\sys\batch\proxy.cmd" /silent /nopac
exit /b
)
)

REM Sync WinINET into WinHTTP
echo Run proxy sync...
powershell -Command "Start-Process -FilePath 'cmd.exe' -ArgumentList '/c \"C:\data\sys\batch\proxy.cmd\" /sync' -NoNewWindow -Wait"

REM Hard-coded temp file path
set "TEMPSTATUS=C:\tmp\pac_status.txt"

REM Capture current PAC status
call "C:\data\sys\batch\proxy.cmd" /silent /status > "%TEMPSTATUS%"

REM Parse PAC URL and Auto-Detect from [3] PAC / AutoDetect section only
set "PACURL_FOUND="
set "AUTODETECT="
set "IN_PAC_SECTION="

for /f "usebackq delims=" %%L in ("%TEMPSTATUS%") do (
if defined IN_PAC_SECTION (
if not defined PACURL_FOUND echo %%L | findstr /B /I "PAC URL:" >nul && set "PACURL_FOUND=%%L"
if not defined AUTODETECT echo %%L | findstr /B /I "Auto-Detect" >nul && set "AUTODETECT=%%L"
if "%%L"=="" set "IN_PAC_SECTION="
)
if "%%L"=="[3] PAC / AutoDetect" set "IN_PAC_SECTION=1"
)

set "PACURL_FOUND=%PACURL_FOUND:PAC URL: =%"
set "AUTODETECT=%AUTODETECT:Auto-Detect =%"

REM Decide whether to apply PAC
set APPLY_PAC=0
if /i not "%PACURL_FOUND%"=="%PACURL%" set APPLY_PAC=1
if /i not "%AUTODETECT%"=="ENABLED" set APPLY_PAC=1

if "%APPLY_PAC%"=="1" (
echo Apply PAC logic...
powershell -Command "Start-Process -FilePath 'cmd.exe' -ArgumentList '/c \"C:\data\sys\batch\proxy.cmd\" %PACURL%' -NoNewWindow -Wait"

REM v2.10: Force PAC registry keys immediately after apply
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v AutoConfigURL /t REG_SZ /d %PACURL% /f >nul
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v AutoDetect /t REG_DWORD /d 1 /f >nul

REM Re-capture status after applying PAC
call "C:\data\sys\batch\proxy.cmd" /silent /status > "%TEMPSTATUS%"
) else (
echo PAC settings already correct - skipping apply step.

REM v2.10: Still enforce PAC registry keys to guarantee consistency
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v AutoConfigURL /t REG_SZ /d %PACURL% /f >nul
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v AutoDetect /t REG_DWORD /d 1 /f >nul
)

REM Re-capture status AFTER forcing PAC so display is accurate
echo Re-capturing final status...
call "C:\data\sys\batch\proxy.cmd" /silent /status > "%TEMPSTATUS%"
REM Parse PAC URL and Auto-Detect again from [3] PAC / AutoDetect section
set "PACURL_FOUND="
set "AUTODETECT="
set "IN_PAC_SECTION="

for /f "usebackq delims=" %%L in ("%TEMPSTATUS%") do (
if defined IN_PAC_SECTION (
if not defined PACURL_FOUND echo %%L | findstr /B /I "PAC URL:" >nul && set "PACURL_FOUND=%%L"
if not defined AUTODETECT echo %%L | findstr /B /I "Auto-Detect" >nul && set "AUTODETECT=%%L"
if "%%L"=="" set "IN_PAC_SECTION="
)
if "%%L"=="[3] PAC / AutoDetect" set "IN_PAC_SECTION=1"
)

set "PACURL_FOUND=%PACURL_FOUND:PAC URL: =%"
set "AUTODETECT=%AUTODETECT:Auto-Detect =%"

if defined PACURL_FOUND (
echo PAC URL: %PACURL_FOUND%
) else (
echo PAC URL: Not set
)

if /i "%AUTODETECT%"=="ENABLED" (
echo Auto-Detect ENABLED
) else (
echo Auto-Detect DISABLED
)

REM Final pause unless /silent
if not defined SILENT (
echo.
echo Press Enter, Spacebar, or any key to close...
pause >nul
)

exit /b

::START: You type Win+R -> psiphon
:: |
:: v
::psiphon.bat
:: - Check if running as admin
:: - If not, request UAC elevation and restart
:: - Launch mongoose.vbs to serve proxy.pac (moved earlier in v1.8)
:: - Wait 2 seconds for Mongoose to initialize (added in v1.8)
:: - Echo "waiting for mongoose..." during delay (added in v1.9)
:: - Verify PAC file is accessible via curl (added in v1.8)
:: - Launch psiphon3.exe in SOCKS mode
:: - Wait 5 seconds for Psiphon to initialize
:: - Log that pac.cmd is being run
:: - Call pac.cmd /silent
:: |
:: v
:: pac.cmd
:: - Log run
:: - Run proxy.cmd /sync to align WinINET -> WinHTTP
:: - Capture current PAC URL and Auto-Detect status
:: - If missing or wrong, call proxy.cmd with PAC URL
:: - Force set PAC URL and Auto-Detect in registry
:: - Re-capture status so final display is accurate
:: - Show final PAC and Auto-Detect status
:: - Return to psiphon.bat
:: - Force set PAC URL and Auto-Detect again (double guarantee)
:: - Pause for user to see output
:: - Exit without closing parent shell
::END
--
Note that this custom one-click socks5 proxy client is modular,
where each component can be individually run & tested in one step.
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: alt.msdos.batch

Marion wrote:

Tutorial:
Build a one-click Windows custom SOCKS5 proxy client using freeware

Included below is an OPTIONAL proxy-checking script that I wrote early on which outputs what is happening when Psiphon.bat is setting & unsetting
things, along with Psiphon itself syncing stuff when starts & stops.
C:\data\sys\batch\checkproxy.bat
Win+R > checkproxy

Bear in mind, about half the stuff that is checked below is set/unset
by Psiphon while the other half (roughly) is set/unset in my scripts.

That is, if you start Psiphon.exe without the scripts, only about half of
what actually happens will happen (although I changed the TARGET on the original Psiphon link to run the psiphon.bat script so it does it all).
Change Psiphon.lnk TARGET FROM C:\app\network\psiphon\psiphon3.exe
Change Psiphon.lnk TARGET TO C:\data\sys\batch\psiphon.bat

When the custom psiphon.bat script modifies system proxy configurations to route traffic through Psiphon's secure tunnel, here's what it changes:

1. WinINET (used by Internet Explorer and some legacy apps):
Psiphon does not enable a manual proxy here by default.
Proxy remains DISABLED unless manually set.

2. WinHTTP (used by system services and background tasks):
Initially set to "Direct access" (no proxy).
Psiphon syncs WinINET settings into WinHTTP.
Eventually sets WinHTTP proxy to:
http=127.0.0.1:63750
https=127.0.0.1:63750
socks=127.0.0.1:1080
Adds a bypass list for local and private IP ranges.

3. PAC (Proxy Auto-Config) and AutoDetect:
Before Psiphon: no PAC URL, Auto-Detect is DISABLED.
After Psiphon:
Sets PAC URL to http://127.0.0.1/proxy.pac
Enables Auto-Detect
PAC logic routes Gmail, Amazon Vine & Copilot directly
& sends other traffic through SOCKS proxy at 127.0.0.1:1080

In summary, the custom proxy client...
a. Sets a PAC script URL in the registry.
a. Enables Auto-Detect to apply PAC logic.
a. Syncs proxy settings from WinINET to WinHTTP.
a. Configures WinHTTP to use Psiphon's local proxy ports.
a. Leaves WinINET proxy disabled unless manually overridden.

This setup ensures that most apps and services follow the PAC logic and
route traffic through Psiphon's encrypted tunnel, while exempting trusted domains and local addresses.

Note that every file can be run via a doubleclick in the file explorer, or
it can be run in a Runbox via a custom 'App Paths' registry key, but in general, everything is connected together by the main psiphon.bat script.
Win+R > psiphon

When you run the Psiphon SOCKS5 GUI, it automatically changes certain
Windows proxy settings while it is active, and then reverts them when
you close it.

1. The PAC script URL in the WinINET (Internet Settings) registry key:
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
This is set to something like http://127.0.0.1/proxy.pac
when Psiphon is running, and cleared when it stops.

2. The Auto-Detect setting in the same key:
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoDetect
This is enabled when Psiphon is running with PAC logic,
and disabled when it stops.

3. The WinHTTP proxy configuration:
'netsh winhttp show proxy' will show Psiphon's local HTTP,
HTTPS & SOCKS ports while it is active & Direct access
(no proxy server) after it closes.

4. Optionally, Mongoose serves proxy.pac & listens on the localhost.
Mongoose is not responsible for setting registry keys or
configuring proxy settings itself, Instead, its role is limited to
Serving the PAC file (proxy.pac) over HTTP at http://127.0.0.1/proxy.pac
Listening on localhost to respond to Windows requests for the PAC script
Enabling dynamic retrieval of PAC logic when AutoConfigURL is set

In short, Psiphon's GUI automatically adjusts key Windows proxy settings
while active, then reverts them when closed. Specifically:
a. It sets the PAC script URL in the registry to http://127.0.0.1/proxy.pac.
b. It enables the Auto-Detect flag so Windows applies PAC logic.
c. It configures WinHTTP to use Psiphon's local proxy ports (HTTP, HTTPS & SOCKS).
d. It clears those settings when Psiphon exits, restoring direct access.

Together, Psiphon & my custom scripts create a unified proxy environment. Traffic is routed securely through Psiphon's tunnel where finicky domains (such as Amazon Vine, Google GMail & Microsoft AI clients) are bypassed,
and local addresses are excluded.

When the tunnel closes, everything reverts cleanly to default behavior.
Here is an OPTIONAL custom script which simply reports what's happened.

@echo off
REM C:\data\sys\batch\checkproxy.bat 20250916
REM This is version 1.2
REM Custom unified Windows proxy diagnostic tool
REM v1.0 lists WinINET manual proxy, WinHTTP proxy, PAC/AutoDetect
REM v1.1 replaces echo. with echo( to avoid command misinterpretation
REM v1.2 adds PAC file existence check and SHA256 hash logging (114 lines)

setlocal

set KEY="HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings"
set PACFILE=C:\data\sys\batch\proxy.pac

echo ==============================================
echo WINDOWS PROXY CONFIGURATION CHECK
echo ==============================================

REM --- PAC file existence check ---
if not exist "%PACFILE%" (
echo WARNING: PAC file not found at %PACFILE%
) else (
echo PAC file found at %PACFILE%
echo PAC file SHA256 hash:
certutil -hashfile "%PACFILE%" SHA256
)

REM --- WinINET (manual proxy) ---
echo(
echo [1] WinINET / Internet Settings
for /f "tokens=2,* skip=2" %%A in ('reg query %KEY% /v ProxyEnable 2^>nul') do set ProxyEnable=%%B
for /f "tokens=2,* skip=2" %%A in ('reg query %KEY% /v ProxyServer 2^>nul') do set ProxyServer=%%B
if "%ProxyEnable%"=="0x1" (
echo Proxy is ENABLED
echo Proxy server: %ProxyServer%
) else (
echo Proxy is DISABLED
)

REM --- WinHTTP proxy ---
echo(
echo [2] WinHTTP proxy (system/background services)
netsh winhttp show proxy

REM --- PAC (Proxy Auto-Config) & AutoDetect ---
echo(
echo [3] PAC / AutoDetect
for /f "tokens=2,* skip=2" %%A in ('reg query %KEY% /v AutoConfigURL 2^>nul') do set PACurl=%%B
for /f "tokens=2,* skip=2" %%A in ('reg query %KEY% /v AutoDetect 2^>nul') do set AutoDetect=%%B

if defined PACurl (
echo PAC script set: %PACurl%
) else (
echo No PAC script URL found.
)

if "%AutoDetect%"=="0x1" (
echo Auto-detect is ENABLED
) else (
echo Auto-detect is DISABLED
)

echo(
echo ==============================================
echo Check complete.
echo ==============================================

endlocal
pause
--
Efficiency is turning 4 clicks into 3 & 3 clicks into 2 & 2 clicks into 1.
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: alt.msdos.batch

Marion wrote:

Included below is an OPTIONAL proxy-checking script that I wrote early on which outputs what is happening when Psiphon.bat is setting & unsetting things, along with Psiphon itself syncing stuff when starts & stops.
C:\data\sys\batch\checkproxy.bat
Win+R > checkproxy

Here is a sample output from the OPTIONAL checkproxy status reporter.
Win+R > checkproxy
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\checkproxy.exe
@=C:\data\sys\batch\checkproxy.bat

BEFORE:
==============================================
WINDOWS PROXY CONFIGURATION CHECK
==============================================
PAC file found at C:\data\sys\batch\proxy.pac
PAC file SHA256 hash:
SHA256 hash of C:\data\sys\batch\proxy.pac:
2517c249250634f579524fae59194aee32a4498a5c6bbf3cf4ef40b3d493bb46
CertUtil: -hashfile command completed successfully.

[1] WinINET / Internet Settings
Proxy is DISABLED

[2] WinHTTP proxy (system/background services)

Current WinHTTP proxy settings:

Direct access (no proxy server).


[3] PAC / AutoDetect
No PAC script URL found.
Auto-detect is DISABLED

==============================================
Check complete.
==============================================
Press any key to continue . . .

AFTER:
waiting for mongoose... (added in v2.0)
Run proxy sync...
Sync WinINET into WinHTTP...

Current WinHTTP proxy settings:

Direct access (no proxy server).

Done.
============================================
WINDOWS PROXY CONFIG CHECK
============================================

[1] WinINET
Proxy DISABLED

[2] WinHTTP
WinHTTP proxy already set

Current WinHTTP proxy settings:

Direct access (no proxy server).


[3] PAC / AutoDetect
PAC URL: http://127.0.0.1/proxy.pac
PAC logic: Bypass Gmail, Amazon Vine, Copilot
Other traffic via SOCKS proxy 127.0.0.1:1080
Auto-Detect DISABLED

============================================
Proxy check complete
============================================
Apply PAC logic...
Set PAC URL: http://127.0.0.1/proxy.pac
============================================
WINDOWS PROXY CONFIG CHECK
============================================

[1] WinINET
Proxy DISABLED

[2] WinHTTP
WinHTTP proxy already set

Current WinHTTP proxy settings:

Direct access (no proxy server).


[3] PAC / AutoDetect
PAC URL: http://127.0.0.1/proxy.pac
PAC logic: Bypass Gmail, Amazon Vine, Copilot
Other traffic via SOCKS proxy 127.0.0.1:1080
Auto-Detect ENABLED

============================================
Proxy check complete
============================================
Re-capturing final status...
PAC URL: http://127.0.0.1/proxy.pac
Auto-Detect ENABLED

Current WinHTTP proxy settings:

Proxy Server(s) : http=127.0.0.1:63750;https=127.0.0.1:63750;socks=127.0.0.1:1080
Bypass List : <local>;10.*;172.16.*;172.17.*;172.18.*;172.19.*;172.20.*;172.21.*;172.22.*;172.23.*;172.24.*;172.25.*;172.26.*;172.27.*;172.28.*;172.29.*;172.30.*;172.31.*;192.168.*;169.254.*;[fc*];[fd*];[fe8*];[fe9*];[fea*];[feb*]
--
The Psiphon proxy is much faster than system-wide VPN typically is.
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: alt.msdos.batch

Marion wrote:

==============================================
WINDOWS PROXY CONFIGURATION CHECK
==============================================
PAC file found at C:\data\sys\batch\proxy.pac
SHA256 hash of C:\data\sys\batch\proxy.pac:

Ooops. I belatedly realized I had not posted the PAC file in the OP.
From: Marion <marionf@fact.com>
Newsgroups: alt.comp.os.windows-10,alt.comp.os.windows-11,alt.msdos.batch
Subject: Tutorial: Build a one-click Windows custom SOCKS5 proxy
client using freeware
Date: Thu, 18 Sep 2025 07:30:02 -0000 (UTC)
Message-ID: <10agcdq$2e02$1@nnrp.usenet.blueworldhosting.com>
<https://al.howardknight.net/?STYPE=msgid&MSGI=%3C10agcdq%242e02%241%40nnrp.usenet.blueworldhosting.com%3E>

The custom PAC file is optional, of course, but it allows you to bypass finicky domains, where I get tens of thousands of dollars of "free stuff"
from Amazon Vine every year, so I don't want to piss the Vine Robots off
by changing IP addresses constantly on them (since you have to log in to
get free stuff) <https://amazon.com/vine/about> and, of course, I use TB/BB
to log into Google Gmail servers where Google hates it when my IP changes
(it finally got used to my system time changing randomly as per scripting).

/*
proxy.pac C:\data\sys\batch\proxy.pac (20250902)
This is version 1.2
Selectively bypass proxy for sites sensitive to tunneling or IP shifts:
- Google services (search, news, mail, etc. but Thunderbird is stupid).
- Amazon (especially the Amazon Vine Voice program)
- Microsoft domains (Copilot, Bing, etc.)
All other traffic routed through local SOCKS proxy at 127.0.0.1:1080

Useful for split-tunnel setups where trusted domains go direct
but everything else is encrypted via Psiphon SOCKS5 proxy.

If needed, test PAC web access and fundamental logic with:
- https://pactester.brdbnt.com/
- https://github.com/termsl/WPADChecker
- curl http://127.0.0.1/proxy.pac

Version 1.0 (added Amazon Vine Voice https://amazon.com/vine/about)
Version 1.1 (added Google Gmail but I need to add it to Thunderbird)
Version 1.2 (added Microsoft sites for practice adding domains)
*/

function FindProxyForURL(url, host) {
// Bypass Gmail & Google (but Thunderbird needs to be set up right)
if (shExpMatch(host, "*.google.com") ||
shExpMatch(host, "*.gmail.com") ||
shExpMatch(host, "mail.google.com")) {
return "DIRECT";
}

// Bypass Amazon Vine https://amazon.com/vine/about
if (shExpMatch(host, "*.amazon.com") ||
shExpMatch(host, "amazon.com")) {
return "DIRECT";
}

// Bypass Copilot & Microsoft domains for practice
if (shExpMatch(host, "*.copilot.microsoft.com") ||
shExpMatch(host, "*.bing.com") ||
shExpMatch(host, "*.microsoft.com")) {
return "DIRECT";
}

// All other traffic via SOCKS
return "SOCKS 127.0.0.1:1080";
}

In addition, you can NOT set up Thunderbird for SOCKS5 via Psiphon.
1. Thunderbird:
Tools > Settings > Network & Disk Space > Connection > Settings...
2. In the Connection Settings dialog:
a. Select "Manual proxy configuration"
b. Under "SOCKS Host", enter: 127.0.0.1
c. Port: 1080
d. Choose "SOCKS v5"
3. Leave "HTTP Proxy", "SSL Proxy" & "FTP Proxy" blank.
4. Optionally check "Use proxy server for all protocols" if needed.
5. Click "OK" to save.

Why not?
A. Thunderbird does not use Windows proxy settings or PAC files.
B. You must configure proxy settings manually inside Thunderbird.
C. If Psiphon is not running, connections through 127.0.0.1:1080 will fail.
D. For automation, you can launch Thunderbird via a batch script
that sets environment variables like:
set SOCKS_PROXY=127.0.0.1:1080
start thunderbird.exe
E. Which you can tie into an easy command in the system registry
Win+R > tb
Where tb is defined in the registry App Paths key as
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\tb.exe
And where tb.exe is a keyword pointing to tb.lnk or tb.bat files.

Unfortunately, Thunderbird does not use PAC file logic, even if we
configure it to use a SOCKS proxy. Sigh. They don't know how to code.

When we manually set Thunderbird to use 127.0.0.1:1080 as a SOCKS5 proxy,
it sends all traffic through that proxy regardless of any of those special
PAC rules defined in proxy.pac above.

Thunderbird does not support domain-based proxy exceptions
If I use "Manual proxy configuration" with SOCKS 127.0.0.1:1080,
then all traffic goes through Psiphon but Google hates IP changes.
There is no built-in way in TB to exclude Gmail while proxying others.

PAC files are only interpreted by applications that support automatic proxy configuration via system settings (like most browsers). Unfortunately for
us, Thunderbird does not read or apply PAC logic internally.

So even if my PAC file says to bypass Gmail and go direct, Thunderbird will still send Gmail traffic through the SOCKS proxy unless I manually exclude
it or use a different method.

The only way I know around Thunderbird's lack of proper coding is to make Thunderbird connect directly to Gmail (without routing through Psiphon).

To do that, I need to bypass the SOCKS proxy for Gmail-related domains.
Since Thunderbird does not support PAC files or system proxy exceptions, we must do this manually (aurgh!). I hate doing anything manually. Sigh.

OPTION 1: Disable proxy in Thunderbird entirely
a. Tools > Settings > Network & Disk Space > Connection > Settings...
b. Select "No proxy"
c. This sends all traffic directly, including Gmail

Thunderbird does not support domain-based proxy exceptions
If you use "Manual proxy configuration" with SOCKS 127.0.0.1:1080,
then all traffic goes through Psiphon
There is no built-in way to exclude Gmail while proxying other traffic

OPTION 2: Launch Thunderbird with proxy environment variables. Yuck.
a. Set environment variables before launching Thunderbird:
set NO_PROXY=google.com,gmail.com
set SOCKS_PROXY=127.0.0.1:1080
start thunderbird.exe
Note: This may work for some protocols, but Thunderbird does not
fully honor NO_PROXY for IMAP/SMTP, so it's an ugly workaround.

While Betterbird is a fork of Thunderbird that focuses on usability improvements, bug fixes and faster feature delivery, unfortunately
Betterbird uses the exact same sophomoric proxy engine as Thunderbird.

In short, TB/BB does not support smart split proxy logic like browsers do,
so bypassing Gmail while using Psiphon requires trade-offs in our setup.
--
Note that a.c.s.t was added only for this one related post of the dozen.
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: alt.msdos.batch

Marion wrote:

OPTION 1: Disable proxy in Thunderbird entirely
a. Tools > Settings > Network & Disk Space > Connection > Settings...
b. Select "No proxy"
c. This sends all traffic directly, including Gmail

Thunderbird does not support domain-based proxy exceptions
If you use "Manual proxy configuration" with SOCKS 127.0.0.1:1080,
then all traffic goes through Psiphon
There is no built-in way to exclude Gmail while proxying other traffic

OPTION 2: Launch Thunderbird with proxy environment variables. Yuck.
a. Set environment variables before launching Thunderbird:
set NO_PROXY=google.com,gmail.com
set SOCKS_PROXY=127.0.0.1:1080
start thunderbird.exe

A customizable-domain proxy client is great, but some Windows apps, like Thunderbird/Betterbird, won't use the intelligent PAC file to determine
which domains should bypass the proxy and which should be tunneled.

I'm not sure which mail domains are finicky (e.g., protonmail?) but in my experience, Google's servers hate it when I use VPN and/or SOCKS proxy.

So the simplest option is to turn off the TB/BB proxy setting altogether.

I'm in Betterbird 102.10.1-bb34 (64-bit) where the settings to make
Betterbird connect directly to Gmail (without using a proxy) are...
1. Start Betterbird 102.10.1-bb34
2. Go to "Tools > Settings > General"
3. Scroll down to "Network & Disk Space"
4. Click the "Connection" [Settings...] button.
5. In the Connection Settings dialog is a section titled
"Configure Proxies to Access the Internet"
6. The default is "Use system proxy settings"
7. Change that to "No proxy" if you're using GMail, which is finicky.
8. Click "OK" to save and exit.

This should be exactly the same for Thunderbird since BetterBird
improvements don't extend to the proxy mechanism of Thunderbird.

Turning off the proxy mechanism ensures Betterbird bypasses any SOCKS proxy
or system proxy settings and connects directly to Gmail servers using the normal internet connection.

If you know of a way to get TB to respect Windows PAC files, let me know!
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: alt.msdos.batch

This is optional, for privacy since Psiphon phones home upon invocation,
where below is a dummybrowser.bat file which captures rogue URI calls.

This other piece of the evolving puzzle which was solved within days of installing Psiphon, which is that when executed, it phones home to a server.

Worse, see sig, it adds a LOT of fingerprinting data to that call home!

Not only does it phone home to a web server, but it provides that web
server with a ton of fingerprinting information you'd rather not give it.

It's hard coded into Psiphon, but you can intercept it so it never makes it onto the Internet, where there are many ways to intercept rogue URIs.

I chose to change the default browser but there are many other ways.
Note that you "can" set up a default browser to a batch file (*.bat)
but I didn't know that at the time I set it up as it's not one
of the options by default, so I converted the batch to an executable.

At first I tried the native Windows bat-to-exe converter wizard
C:\Windows\System32\IExpress.exe
But after a few attempts, I switched to the Bat_To_Exe_Converter.
<https://github.com/l-urk/Bat-To-Exe-Converter-64-Bit/releases>
Name: Bat_To_Exe_Converter_x64.exe
Size: 2106368 bytes (2057 KiB)
SHA256: 1399EDE8F024E70025E55321D25BEAB7104A32E79512B11B4FFC779C82542CC6

Here's how I set dummybrowser.bat -> exe to the default web browser.

1. Write the dummybrowser.bat file (included below for completeness).

2. Convert the dummybrowser.bat batch file to an EXE:
a. Open the Bat_To_Exe_Converter_x64.exe freeware converter
b. File > Open > C:\data\sys\batch\dummybrowser.bat
c. Set options:
Exe-Format: 32-bit
Interface: Console (Visible)
Leave other fields blank
d. Click Convert
e. Save as: C:\data\sys\batch\dummybrowser.exe

3. Create a Windows registry entry for your dummy browser:
a. Open an elevated command prompt (Win+R > cmd {ctrl+shift+enter})
b. Run the following command to add the registry key:
reg add "HKLM\SOFTWARE\Classes\DummyBrowserHTML\shell\open\command" /ve /d "\"C:\\data\\sys\\batch\\dummybrowser.exe\" \"%1\"" /f

4. Set your dummybrowser executable as the default Windows browser:
a. Open Windows Settings (Win+I)
b. Go to Apps > Default apps
c. Scroll to "Web browser"
d. Click the current browser icon
e. Choose "Dummy Browser" from the list

5. Verify interception:
a. Run: C:\data\sys\batch\dummybrowser.exe "https://example.com"
b, Check log file: type C:\data\sys\log\dummybrowser.log
c. Confirm entries are logged

NOTES:
A. dummybrowser.exe will now intercept all system-level browser calls
B. It's useful for logging or blocking rogue outbound traffic
C. I used gVim but you may need to change the path to NotePad++

Here's the dummybrowser.bat code (which can be greatly improved).
@echo off
REM C:\data\sys\batch\dummybrowser.bat 20250819
REM This is rev 2.0
REM All calls to the default web browser are intercepted & logged
REM C:\data\sys\batch\dummybrowser.bat 20250916 revision 1.8
REM C:\data\sys\batch\dummybrowser.bat 20250916 revision 1.9
REM Removed gVim launch so the log is now read only when displayed
REM C:\data\sys\batch\dummybrowser.bat 20250916 revision 2.0
REM Restored gVim launch in read-only mode to view log w/o locking
:: Batch to be converted to an exe to be easily set as the default browser
:: Start clean by deleting any existing log files.
:: del C:\data\sys\log\dummybrowser.log
:: Open admin prompt (Win+R > cmd {ctrl+shft+enter} & kill leftovers
:: taskkill /IM dummybrowser.exe /F
:: Start GitHub Bat_To_Exe_Converter_x64.exe
:: <https://github.com/l-urk/Bat-To-Exe-Converter-64-Bit/releases>
:: File > Open > C:\data\sys\batch\dummybrowser.bat
:: Options: Exe-Format: 32-bit | Console (Visible)
:: Leave all other fields blank/unchecked
:: Click Convert
:: Save as: C:\data\sys\batch\dummybrowser.exe
:: To test, run in a command prompt:
:: C:\data\sys\batch\dummybrowser.exe test123
:: [Tue 09/16/2025 16:55:50.72] Attempted launch: (fingerprint)
:: C:\data\sys\batch\dummybrowser.exe test123
:: C:\data\sys\batch\dummybrowser.exe "https://abc.com/?a=1&b=2"
:: Verify both entries in: C:\data\sys\log\dummybrowser.log
:: type C:\data\sys\log\dummybrowser.log
:: Confirm registry entry for default browser options exists.
:: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DummyBrowserHTML\shell\open\command]
:: @="\"C:\\data\\sys\\batch\\dummybrowser.exe\" \"%1\""
:: Check that dummybrowser is set as the default browser
:: Win+I > Apps > Default apps > Web browser > Choose Dummy Browser

set LOGFILE=C:\data\sys\log\dummybrowser.log

REM Append new entry
echo [%date% %time%] Attempted launch: %* >> %LOGFILE%

REM Open log in gVim read-only and exit immediately
start "" "C:\app\editor\txt\vim\gvim.exe" -R "%LOGFILE%"

exit /b

Note that this dummy browser, while useful with for Psiphon, is not required. --
This is an actual capture from my dummy browser log file.
[Wed 09/17/2025 9:26:06.04] Attempted launch: C:\data\sys\batch\dummybrowser.exe "https://ipfounder.net/?sponsor_id=1CD935B4F29412DA&sponsor=psiphon&client_region=US&client_asn=32829&client_platform=windows&secret=580XghQJ18zK2gpxV7cfR3wTEUydcHK8KCEryhkes6QJtmRDF1xnPQqvydpwxzUvZtqnvT5yqLFnfXEnUgie7m9kiW8P4QRZpir3j7eFeLKC5DhM7EloZTFNu3DD8XKux2MBY6mcdUC7jqhVy17xynvEMaZ2bkfdgQHCrgsRKej3r7uc1HTGg2PL4y2rYLxzknOQc4K&psireason=connect&psicash=eyJtZXRhZGF0YSI6eyJjbGllbnRfcmVnaW9uIjoiVVMiLCJjbGllbnRfdmVyc2lvbiI6IjE4NiIsInByb3BhZ2F0aW9uX2NoYW5uZWxfaWQiOiI5MkFBQ0M1QkFCRTA5NDRDIiwic3BvbnNvcl9pZCI6IjFDRDkzNUI0RjI5NDEyREEiLCJ1c2VyX2FnZW50IjoiUHNpcGhvbi1Qc23DYXNoLVdpbmRvd3MiLCJ4IjoxfSwidGltZXN0YW1wIjoiMjAyNS0wOS0xN1QxNToyNjowNS42NDBaIiwidG9rZW5zIjpidWxsLCJ2IjoxfD"
[Wed 09/17/2025 10:24:25.23] Attempted launch: C:\data\sys\batch\dummybrowser.exe "https://ipfounder.net/?sponsor_id=1CD935B4F29412DA&sponsor=psiphon&client_region=US&client_asn=32829&client_platform=windows&secret=580XghQJ18zK2gpxV7cfR3wTEUydcHK8KCEryhkes6QJtmRDF1xnPQqvydpwxzUvZtqnvT5yqLFnfXEnUgie7m9kiW8P4QRZpir3j7eFeLKC5DhM7EloZTFNu3DD8XKux2MBY6mcdUC7jqhVy17xynvEMaZ2bkfdgQHCrgsRKej3r7uc1HTGg2PL4y2rYLxzknOQc4K&psireason=connect&psicash=eyJtZXRhZGF0YSI6eyJjbGllbnRfcmVnaW9uIjoiVVMiLCJjbGllbnRfdmVyc2lvbiI6IjE4NiIsInByb3BhZ2F0aW9uX2NoYW5uZWxfaWQiOiI5MkFBQ0M1QkFCRTA5NDRDIiwic3BvbnNvcl9pZCI6IjFDRDkzNUI0RjI5NDEyREEiLCJ1c2VyX2FnZW50IjoiUHNpcGhvbi1Qc23DYXNoLVdpbmRvd3MiLCJ4IjoxfSwidGltZXN0YW1wIjoiMjAyNS0wOS0xN1QxNjoyNDoyNS4xMjJaIiwidG9rZW5zIjpidWxsLCJ2IjoxfD"
[Wed 09/17/2025 11:46:38.25] Attempted launch: C:\data\sys\batch\dummybrowser.exe "https://ipfounder.net/?sponsor_id=1CD935B4F29412DA&sponsor=psiphon&client_region=US&client_asn=32829&client_platform=windows&secret=580XghQJ18zK2gpxV7cfR3wTEUydcHK8KCEryhkes6QJtmRDF1xnPQqvydpwxzUvZtqnvT5yqLFnfXEnUgie7m9kiW8P4QRZpir3j7eFeLKC5DhM7EloZTFNu3DD8XKux2MBY6mcdUC7jqhVy17xynvEMaZ2bkfdgQHCrgsRKej3r7uc1HTGg2PL4y2rYLxzknOQc4K&psireason=connect&psicash=eyJtZXRhZGF0YSI6eyJjbGllbnRfcmVnaW9uIjoiVVMiLCJjbGllbnRfdmVyc2lvbiI6IjE4NiIsInByb3BhZ2F0aW9uX2NoYW5uZWxfaWQiOiI5MkFBQ0M1QkFCRTA5NDRDIiwic3BvbnNvcl9pZCI6IjFDRDkzNUI0RjI5NDEyREEiLCJ1c2VyX2FnZW50IjoiUHNpcGhvbi1Qc23DYXNoLVdpbmRvd3MiLCJ4IjoxfSwidGltZXN0YW1wIjoiMjAyNS0wOS0xN1QxNzo0NjozNy43MjdaIiwidG9rZW5zIjpidWxsLCJ2IjoxfD"
[Thu 09/18/2025 2:52:35.33] Attempted launch: C:\data\sys\batch\dummybrowser.exe "https://ipfounder.net/?sponsor_id=1CD935B4F29412DA&sponsor=psiphon&client_region=US&client_asn=32829&client_platform=windows&secret=580XghQJ18zK2gpxV7cfR3wTEUydcHK8KCEryhkes6QJtmRDF1xnPQqvydpwxzUvZtqnvT5yqLFnfXEnUgie7m9kiW8P4QRZpir3j7eFeLKC5DhM7EloZTFNu3DD8XKux2MBY6mcdUC7jqhVy17xynvEMaZ2bkfdgQHCrgsRKej3r7uc1HTGg2PL4y2rYLxzknOQc4K&psireason=connect&psicash=eyJtZXRhZGF0YSI6eyJjbGllbnRfcmVnaW9uIjoiVVMiLCJjbGllbnRfdmVyc2lvbiI6IjE4NiIsInByb3BhZ2F0aW9uX2NoYW5uZWxfaWQiOiI5MkFBQ0M1QkFCRTA5NDRDIiwic3BvbnNvcl9pZCI6IjFDRDkzNUI0RjI5NDEyREEiLCJ1c2VyX2FnZW50IjoiUHNpcGhvbi1Qc23DYXNoLVdpbmRvd3MiLCJ4IjoxfSwidGltZXN0YW1wIjoiMjAyNS0wOS0xN1QxNzo0NjozNy43MjdaIiwidG9rZW5zIjpidWxsLCJ2IjoxfD"
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: alt.msdos.batch

Arlen,

This other piece of the evolving puzzle which was solved within
days of installing Psiphon, which is that when executed, it phones
home to a server.

Really ? "it phones home to a server" ? Either you have no idea how a VPN (for hiding your IP) works, or you forgot to add some information.

Also, have you ever thought about checking what that server it "phones home" to actually is ? No ? Why not ?

Furthermore, do you think that if the makers of Psiphon wanted grab some private data from your 'puter they could not have simply added another connection to the tunnel it creates - leaving you none-the-wiser ?

iow, the Psiphon client software does not need that "dummy browser" of yours to connect with the internet. Worse, it would make the the whole "phoning home" thing needlesly complicated.

-- But if it actually "phones home" to grab data from your machine that way (unlikely) than do remember the old saying : when you get stuff for free its likely you are the product, not the customer.

Regards,
Rudy Wieser


--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: alt.msdos.batch

Marion wrote:

Turning off the proxy mechanism ensures Betterbird bypasses any SOCKS proxy or system proxy settings and connects directly to Gmail servers using the normal internet connection.

If you know of a way to get TB to respect Windows PAC files, let me know!

Thinking about the solution as I rarely (if ever) fail, I think I may have found an easy cross-platform open source solution to that problem set...

A PAC (Proxy Auto Config) file is a JavaScript file used by browsers or
other applications that support the PAC standard. For each URL or host it decides whether to send the request through a proxy or connect directly. It only works for software that can load and follow a PAC file. PAC files are generally limited to controlling HTTP and HTTPS traffic and do not handle other protocols such as IMAP or SMTP. Programs that ignore proxy settings
such as Thunderbird or Betterbird (which are not browsers) will not be affected.

To make Thunderbird follow proxy rules we need an external tool that can intercept its connections. My first choice would be an open source
proxifier such as SocksCap64 which can force Thunderbird to use a proxy. However SocksCap64 cannot apply different rules for different domains and
will send all traffic through the same proxy without selective routing.
<https://sourceforge.net/projects/sockscap64/>

<https://netactuate.dl.sourceforge.net/project/sockscap64/SocksCap64-setup-3.6.exe>
Name: SocksCap64-setup-3.6.exe
Size: 6193115 bytes (6047 KiB)
SHA256: B2DA49EC9A2702CFD7625D3F152AF98A4C8E3E155DAB78686962BB3DF1F76825

This is where the cross-platform open-source NekoBox may come in handy.
<https://github.com/MatsuriDayo/nekoray

<https://github.com/MatsuriDayo/nekoray/releases/download/4.0.1/nekoray-4.0.1-2024-12-12-windows64.zip>
Name: nekoray-4.0.1-2024-12-12-windows64.zip>
Size: 41719145 bytes (39 MiB)
SHA256: A492224792C38BD1A3B7A5438B1431C5CB4260F55E9A121DB3B2CE1603F7664A

NekoRay or NekoBox is an open source V2Ray/Sing box proxy manager with a graphical interface that sits between our applications & our upstream
proxy such as Psiphon. Unlike proxifiers such as SocksCap64, NekoBox can
apply user-defined specific-domain routing rules so that some domains or IP ranges go through a proxy while others connect directly (bypassing
proxies).

NekoRay can also handle multiple protocols including HTTP HTTPS SOCKS
IMAP SMTP and more which allows it to apply selective routing to non HTTP traffic. By pointing Thunderbird to NekoBox instead of directly to Psiphon
we should be able to recreate the selective routing logic of a PAC file and apply it to applications that do not support PAC files at all.

In practice this means we can keep using the PAC file to control proxy behavior for web browsers exactly as we do now while letting NekoRay handle the same selective routing for Thunderbird. We would configure NekoRay so
that Gmail IMAP and SMTP servers are marked as direct connections and all other destinations are sent through Psiphon. Thunderbird would be pointed
to NekoRay's local listener instead of Psiphon directly so NekoRay can
enforce those rules. The end result is a unified setup where browsers
follow the PAC file and non browser applications such as Thunderbird follow equivalent rules inside NekoRay giving us consistent split tunnel behavior across all software.

I am testing it as we speak but I post this 1st to ask if anyone has a
better solution to force Thunderbird to selectively route so that all
traffic goes through the proxy except the Google GMail server traffic.
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: alt.msdos.batch

UPDATE

In another thread today I described how I installed & ran a YouTube client that allowed me to view YouTube videos without logging in & without any ads (both the type of ads that YouTube inserts & even creator-inserted ads).
a. Pre-roll ads (before the video starts)
b. Mid-roll ads (interrupting the video)
c. Banner ads (overlaying the video)
d. Sidebar ads (on the YouTube page)
e. Sponsor blocks (remove known ads inserted by creators)
<https://freetubeapp.io/>

The YouTube client I tested today was FreeTube, which worked well.
But it was obstinate during a proxy that it didn't like my proxy.
Worse, AFTER the proxy was shut down, it failed until I rebooted.

Huh?
Why did FreeTube barf when I killed the proxy but nothing did before it?

Turns out my script to kill the proxy needed a LOT of improvements!
The FreeTube "app" is apparently a web browser using system-proxy settings.

It was still using "some" of the proxy settings even though the proxy
was no longer running. I hadn't noticed before that this happened.

Hence, here's a working script to KILL the proxy & wipe it off Windows.

@echo off
REM C:\data\sys\batch\psiphonstop.bat version 1.0 20250819
REM This is psiphonstop.bat version 1.9
REM Close Psiphon GUI first to let it attempt its own cleanup.
REM Then run psiphonstop.bat to:
REM 1. Check for any lingering processes (Psiphon or Mongoose).
REM 2. Kill any lingering processes (Psiphon or Mongoose).
REM 3. Reset WinINET and WinHTTP proxy settings.
REM 4. Log the shutdown for traceability in mongoose & proxy logs.
REM Additions in version 1.0 (41 lines)
REM As admin, it stops Psiphon GUI, Mongoose, and resets proxy settings
REM Logs shutdown event to proxy.log and mongoose.log for lifecycle tracking
REM Changes in version 1.1 (46 lines)
REM Added Psiphon GUI termination step (v1.1)
REM Added [STOP] prefix to log entries for clarity (v1.1)
REM Changes in version 1.2 (56 lines)
REM Added conditional checks for running processes before attempting kill/log
REM Only logs shutdown events if process was found running
REM 20250920 psiphonstop.bat 1.3 (68 lines)
REM Fixed Registry Key Not Found error when run with nothing to do
REM Fixed "reset" not a command error by removing the ampersand in the echo
REM 20250920 psiphonstop.bat 1.4 (79 lines)
REM Added better error checking to see if Psiphon or Mongoose are running
REM Added a closer line in the console
REM 20250920 psiphonstop.bat 1.5 (89 lines)
REM Added better explanation of the registry changes in the console output
REM 20250920 psiphonstop.bat 1.6 (108 lines)
REM Set ProxyEnable to 0 so the system knows to bypass proxies (v1.6)
REM Clear ProxyOverride if Psiphon used custom bypass rules (v1.6)
REM Flush DNS and restart networking stack (v1.6)
REM 20250920 psiphonstop.bat 1.7 (121 lines)
REM Exported keys before deletion, just in case (v1.7)
REM fully refresh network adaptor (optional) v1.7
REM 20250920 psiphonstop.bat 1.8 (138 lines)
REM Check for environment proxy settings (v1.8)
REM add browser cache flush and settings reminder (v1.8)
REM add summary log entry with system state (v1.8)
REM Add a success beep or visual cue (v1.8)
REM 20250920 psiphonstop.bat 1.9 (152 lines)
REM Added version banner
REM Log envvars (v1.9)
REM Add browser-specific cleanup reminders (v1.9)

echo ----------------------------------------
echo Psiphonstop.bat v1.9 - Proxy Reset Tool
echo ----------------------------------------

:: --- Elevate to admin if not already ---

nul 2>&1 net session

if %errorlevel% neq 0 (
echo Requesting administrative privileges...
powershell -Command "Start-Process '%~f0' -Verb RunAs"
exit /b
)

REM Check if Psiphon GUI is running (updated for better errors) v1p4
tasklist /fi "imagename eq psiphon3.exe" | find /i "psiphon3.exe" >nul
if %errorlevel%==0 (
taskkill /f /im psiphon3.exe >nul 2>&1
echo [%DATE% %TIME%] [STOP] Psiphon GUI terminated by psiphonstop.bat >> C:\data\sys\log\proxy.log
) else (
echo [%DATE% %TIME%] [STOP] No Psiphon GUI process found >> C:\data\sys\log\proxy.log
)

REM Check if Mongoose is running (updated checks in v1.4)
tasklist /fi "imagename eq mongoose.exe" | find /i "mongoose.exe" >nul
if %errorlevel%==0 (
taskkill /f /im mongoose.exe >nul 2>&1
echo [%DATE% %TIME%] [STOP] Mongoose terminated by psiphonstop.bat >> C:\data\sys\batch\mongoose.log
) else (
echo [%DATE% %TIME%] [STOP] No Mongoose process found >> C:\data\sys\batch\mongoose.log
)


REM Exported keys before deletion, just in case (v1.7)
reg export "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" C:\data\sys\log\proxy_before_reset.reg

REM Reset WinINET proxy settings
echo Resetting WinINET proxy registry values...
REM Fixed Registry Key Not Found error when run with nothing to do (v1.3)
:: reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v AutoConfigURL /f >nul
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v AutoConfigURL /f 2>nul

echo reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v AutoConfigURL /f 2>nul

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v AutoDetect /t REG_DWORD /d 0 /f >nul

echo reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v AutoDetect /t REG_DWORD /d 0 /f >nul

:: reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /f >nul
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /f 2>nul
echo reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /f 2>nul

:: reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /f >nul
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /f 2>nul
echo reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /f 2>nul

REM v1p6
REM Deleting ProxyEnable and ProxyServer does not restore direct access.
REM Set ProxyEnable to 0 so the system knows to bypass proxies (v1.6)
REM Windows interprets missing values differently than explicitly set ones.
REM Explicitly set ProxyEnable to 0 so the system knows to bypass proxies.
REM Now Windows knows to use direct access, not |no proxy server defined.i
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 0 /f

REM Clear ProxyOverride if Psiphon used custom bypass rules (v1.6)
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /f

REM Flush DNS and restart networking stack (v1.6)
ipconfig /flushdns
netsh int ip reset

echo Registry operations completed with Proxy settings cleared or updated.

REM Reset WinHTTP proxy settings
netsh winhttp reset proxy

REM Always log proxy reset regardless of process status
echo [%DATE% %TIME%] [STOP] Proxy settings reset by psiphonstop.bat >> C:\data\sys\log\proxy.log

REM Fixed "reset" unrecognized command error by removing ampersand (v1p3)
:: echo Psiphon, proxy settings, and Mongoose have been logged & reset.
echo "Psiphon, proxy settings and Mongoose have been logged and reset."

REM Check for environment proxy settings (v1.8)
set | findstr /i proxy
REM Log envvars (v1.9)
set | findstr /i proxy >> C:\data\sys\log\proxy_envvars.log

REM fully refresh network adaptor (optional) v1.7
netsh winsock reset

REM add browser cache flush and settings reminder (v1.8)
echo Reminder: Disable any proxy/VPN browser extensions manually.
echo Reminder: Clear browser cache or try Incognito mode if issues persist.

REM Add browser-specific cleanup reminders (v1.9)
echo Chrome: chrome://settings/system > disable |Use proxyi
echo Firefox: about:preferences > Network Settings > |No proxyi

REM add summary log entry with system state (v1.8)
echo [%DATE% %TIME%] [STOP] Proxy teardown complete. System set to direct access. >> C:\data\sys\log\proxy.log

REM Added a console output for closure (v1.4)
echo [%DATE% %TIME%] Psiphonstop.bat completed. See logs for details.

REM Add a success beep or visual cue (v1.8)
echo Operation complete. System proxy is OFF.
powershell -c "[console]::beep(1000,300)"

pause
--
That thread about YouTube clients is this one from today:
From: Marion <marionf@fact.com> alt.comp.os.windows-10,alt.comp.os.windows-11,alt.comp.microsoft.windows
What are your experiences with free Windows YouTube replacement clients?
Date: Sat, 20 Sep 2025 22:32:49 -0000 (UTC)
Message-ID: <10ana2g$2noo$1@nnrp.usenet.blueworldhosting.com>
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: alt.msdos.batch

Today I installed and tested FreeGate, which is "similar" to Psiphon
in that FreeGate provides a DIFFERENT way for a free encrypted proxy.

Here's my installation log, so that others can follow in my footsteps.

We'll start with a series of increasing detail by way of comparison.
Psiphon is SOCKS5 & HTTP:
a. Encrypted tunnel (SSH-based)
b. Works with any SOCKS5-aware app
c. Broader coverage for privacy

Freegate is HTTP:
a. Encrypted HTTP proxy
b. Limited to apps using Windows proxy
c. Narrower coverage, browser-focused

SOCKS5 support:
Psiphon runs a local SOCKS5 proxy (typically on 127.0.0.1:1080)
in addition to an HTTP proxy.
Freegate does not expose a SOCKS5 proxy port.
It only provides a local HTTP/HTTPS proxy (usually on 127.0.0.1:8580).

Encryption:
Traffic between your client and Psiphonos servers is encrypted.
When using the SOCKS5 port, the traffic is wrapped in an SSH-based
tunnel with obfuscation before leaving your machine.
Traffic between your client and Dynawebos servers (Freegate) is
also encrypted, but it is not a SOCKS5 tunnel and not a standard
VPN. It uses a proprietary encrypted HTTP proxy protocol.

Comparison of Psiphon and Freegate
Feature | Psiphon | Freegate |
------- ------- --------
Platform | Windows, Android, iOS | Windows |
Distribution | Official sites, stores| Mirrors, updater |
Protocols | SSH, VPN, HTTP proxy | Dynaweb proxy |
Local ports | 1080 (SOCKS), 33111 | 8580 |
GUI | Modern, usage stats | Simple, log window |
Auto update | Yes | Yes (prompts) |
Tunnel modes | VPN, SSH+, Split | A, F, M |
System proxy | Auto or manual | Auto WinINET |
Cross-app support | Yes (VPN mode) | Yes (system proxy) |
Open source | Client is open source | Closed source |
Typical use | Censorship, privacy | Censorship (China) |
1. Download & unzip the FreeGate version 7.90 portable zip file.
<https://www.techspot.com/downloads/6243-freegate.html>
Click the "Download Freegate" button
Choose either the EXE or ZIP version.
Name: fg790p.zip
Size: 6900787 bytes (6739 KiB)
SHA256: 8BD7F8DFEFA73DE07CC0C32265174681BACE7DF90EF2CCFB60F3B8473E3607CA

When I used FreeGate 7.90, it asked to download & use version 8.05:
Name: fg805p.exe
Size: 8135672 bytes (7944 KiB)
SHA256: 608DDDD745143F977BECB15A63FB49855B6672E4E53AA87833CA818A159FC1D1

Had I known that, I would have downloaded first from Gizmodo instead:
<https://gizmodo.com/download/freegate> (file size & hash checks out)

2. If you downloaded the ZIP file:
a. Right-click the ZIP file and select "Extract All..."
b. Choose a destination folder (e.g., C:\app\network\freegate\)
c. And click "Extract"

3. Double-click "fg790p.exe" to launch Freegate.
When you launch fg790p.exe, Freegate opens its control panel titled
"FreeGate Proxy Control", which lets you:
a. See connection status to Freegate's proxy servers.
b. Choose between different proxy modes (e.g., Classic or Smart).
c. View logs and diagnostics.
d. Launch a browser window preconfigured to use Freegate's proxy.
This panel is the gateway to managing how Freegate tunnels your traffic.

4. In the "FreeGate Proxy Control" panel, your choices are:
(_)All websites go through Freegate proxy
(o)Connect to websites in China directly
(and not through FreeGAte proxy)
[x]Skip this window when program starts

5. Select the option:
(o)All websites go through Freegate proxy
This ensures that all your internet traffic that obeys the
Windows system proxy (which stack?) should be routed through
Freegate's encrypted tunnel.

Also uncheck (for now):
[_]Skip this window when program starts

Press the blue "OK" button in the Freegate Proxy Control panel.

6. A Dynaweb FreeGate window should pop up saying something like:
[Freegate 7.90 Professional Edition]
Connected to 7 Servers, port: 8580,
Tunnel(A)

7. You may also get a belated Windows-Defender popup:
Windows Defender Firewall has blocked some features of this app.
Windows Defender Firewall has blocked some features of
Freegate on all public and private networks.
Name: Freegate
Publisher: Dynamic Internet Technology, Inc.
Path: C:\app\network\freegate\fg790p.exe
Allow Freegate to communicate on these networks:
[x]Private networks, such as my home or work network
[_]Public networks, such as those in airports & coffee shops
[Allow access][Cancel]

Click the "Allow access" button in the Windows Defender Firewall prompt.
This permits Freegate to communicate over your private network
and establish proxy connections.

8. Confirm that the Dynaweb FreeGate window remains open.
a. It should display:
Connected to 7 Servers, port: 8580
Tunnel(A)
b. This indicates that Freegate is actively tunneling traffic
through its proxy network.

9. To verify that Freegate is working:
a. Open your preferred browser (e.g., Chrome or Firefox)
b. Visit https://www.whatismyip.com/
My IPv4: 65.49.38.149
c. Check if your IP address is different from your normal ISP address
d. Visit a website that is normally blocked in your region

If your IP has changed or blocked sites are accessible:
Then Freegate is successfully routing traffic through its proxy.

Check your system proxy settings.

Win+I > Network & Internet > Proxy >
Automatic proxy setup
Automatically detect settings = off
Use setup script = off
Script address = 127.0.0.1/proxy.pac (which is grayed out!)
[Save] (which is grayed out!)
Manual proxy setup
Use a proxy server = on
Address = 127.0.0.1
Port = 8580
Use the proxy server except for addresses that start with the following:
<blank>
[x]Don't use the proxy server for local (intranet) addresses
[Save]

Win+R > control > Internet Options > Internet Properties
Connections > LAN settings
Local Area Network (LAN) Settings
Automatic configuration
[_]Automatically detect settings
[_]Use automatic configuration script
Address = http://127.0.0.1/proxy.pac (grayed out!)
Proxy server
[x]Use a proxy server for your LAN
Address = [127.0.0.1] Port = [8590]
[x]Bypass proxy server for local addresses

[Advanced]
Proxy Settings
HTTP: 127.0.0.1 : 8580
Secure: 127.0.0.1 : 8580 (grayed out!)
FTP: 127.0.0.1 : 8580 (grayed out!)
Socks: <blank> (grayed out!)
[x]Use the same proxy server for all protocols
Do not use proxy server for addresses beginning with:
<blank>

10. Optional: Configure other applications to use Freegate's proxy.
a. Freegate typically runs a local proxy on 127.0.0.1:8580
b. In your browser or app settings, set:
Proxy address: 127.0.0.1
Proxy port: 8580
c. Save and apply the settings.

11. To stop using Freegate:
a. Close the Dynaweb FreeGate window by clicking its Window red (X).
b. It will ask you a few questions (and go away if you don't answer).
Exiting proxy
Freegate is exiting.
Your internet activity will no longer be protected by Dynaweb.
It is not safe to continue visiting censored websites.
You are highly recommended to close all opened applications now.
[_]Do not show this window again; close all IE windows.
[_]Do not show this window again; keep all IE windows.
[Close opened applications [30s]][Keep open]

12. To confirm Freegate has successfully reverted proxy settings

a. Open Windows Settings:
Win+I > Network & Internet > Proxy

b. Check the following:
- Automatic proxy setup:
Automatically detect settings = on
Use setup script = off
Script address = <blank>
- Manual proxy setup:
Use a proxy server = off
Address = <blank>
Port = <blank>
Don't use the proxy server for local (intranet) addresses = unchecked

c. Open Internet Options:
Win+R > control > Internet Options > Connections > LAN settings

d. Confirm:
- Automatically detect settings = checked
- Use automatic configuration script = unchecked
Address = <blank>
- Use a proxy server for your LAN = unchecked
Address = <blank>
Port = <blank>
Bypass proxy server for local addresses = unchecked

e. Click [OK] to close LAN settings
Click [OK] to close Internet Properties

Unfortunately, I didn't know about the version 8.05 available download.
When I used FreeGate 7.90 a few times, it asked to download version 8.05:
Name: fg805p.exe
Size: 8135672 bytes (7944 KiB)
SHA256: 608DDDD745143F977BECB15A63FB49855B6672E4E53AA87833CA818A159FC1D1

Had I known that, I would have used a different download site:
<https://gizmodo.com/download/freegate>
<https://gizmodo.com/download/freegate-67626-download>
Name: gizmodo_fg805p.exe
Size: 8135672 bytes (7944 KiB)
SHA256: 608DDDD745143F977BECB15A63FB49855B6672E4E53AA87833CA818A159FC1D1

So rather than rewrite my log, here are 7.90 vs 8.05 differences.

STEP 1: DOWNLOAD
Go to: https://www.techspot.com/downloads/6243-freegate.html
Version 7.90 file: fg790p.zip (SHA256: 8BD7F8DFEFA73DE07CC0C32265174681BACE7DF90EF2CCFB60F3B8473E3607CA)
Version 8.05 file: fg805p.exe (SHA256: 608DDDD745143F977BECB15A63FB49855B6672E4E53AA87833CA818A159FC1D1)

STEP 2: EXTRACT (if ZIP)
Right-click fg790p.zip
Select "Extract All..."
Choose folder (example: C:\app\network\freegate\)
Click "Extract"

STEP 3: LAUNCH
Double-click fg790p.exe (7.90) or fg805p.exe (8.05)

STEP 4: CONTROL PANEL DIFFERENCES
VERSION 7.90:
Window title: "FreeGate Proxy Control"
Options:
(_) All websites go through Freegate proxy
(o) Connect to websites in China directly
[ ] Skip this window when program starts
Must click "OK" to activate

VERSION 8.05:
Window title changed (simplified layout)
Options presented as a dropdown or single checkbox
Status/log window shows connection attempts
Fewer prompts, more automatic behavior

STEP 5: STATUS WINDOW
VERSION 7.90:
Dynaweb FreeGate window shows:
"Connected to X Servers, port: 8580, Tunnel(A)"
Tunnel modes: A, F, M

VERSION 8.05:
Console-like log output
Shows connection attempts and tunnel status
Still binds to 127.0.0.1:8580

STEP 6: FIREWALL PROMPT
Windows Defender may prompt:
"Allow Freegate to communicate..."
Select:
[x] Private networks
[ ] Public networks
Click "Allow access"

STEP 7: VERIFY FUNCTION
Open browser
Visit https://www.whatismyip.com/
Confirm IP differs from ISP
Visit a blocked site to confirm access
System proxy should show:
Address = 127.0.0.1
Port = 8580

STEP 8: EXIT BEHAVIOR
VERSION 7.90:
Exit dialog appears:
"Freegate is exiting. Your internet activity will no longer be protected..."
Options to close or keep IE windows

VERSION 8.05:
Exit dialog simplified
Still warns that proxy is disabled after exit

STEP 9: CONFIRM REVERSION
After closing Freegate:
ProxyEnable = 0
ProxyServer = <blank>
No fg790p.exe or fg805p.exe process
No listener on 127.0.0.1:8580
Check via:
Win+I > Network & Internet > Proxy
Win+R > control > Internet Options > LAN settings

SUMMARY
Both FreeGate 7.90 & 8.05 use the same proxy mechanism (127.0.0.1:8580)
Abut 7.90 has explicit radio buttons, 8.05 has simplified controls
Verification and cleanup steps remain the same
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: alt.msdos.batch

Marion wrote:

Today I installed and tested FreeGate, which is "similar" to Psiphon
in that FreeGate provides a DIFFERENT way for a free encrypted proxy.

Here's my installation log, so that others can follow in my footsteps.

Rather than write a new checkproxy script, I simply added FreeGate to it.

@echo off
REM C:\data\sys\batch\checkproxy.bat 20250916
REM This is version 1.9 (w! checkproxy.bat_v1px.)
REM Custom unified Windows proxy diagnostic tool
REM v1.0 lists WinINET manual proxy, WinHTTP proxy, PAC/AutoDetect
REM v1.1 replaces echo. with echo( to avoid command misinterpretation
REM v1.2 adds PAC file existence check and SHA256 hash logging (114 lines)
REM v1.3 (152 lines) adds debugging (section 9)
REM v1.4 (161 lines) adds more debugging (section 10)
REM v1.5 (182 lines) adds more debugging (section 11)
REM v1.6 (204 lines) adds command reference (section 12)
REM v1.7 (205 lines) Changed example.com to abc.com throughout
REM v1.8 (217 lines) Added check for freegate proxy in addition to psiphon
REM v1.9 (229 lines) Added output in final report to add freegate logging
:: Normally the pac file is served by a web server.
:: This script doesnot rely on Windows successfully fetching the PAC file
:: via HTTP. Instead, it Sets the registry key to point to the PAC URL
:: It assumes the PAC logic is known & trusted.
:: It uses proxy.cmd to apply proxy settings directly,
:: bypassing the need for Windows to interpret the PAC file
:: So even if http://127.0.0.1/proxy.pac isnot actually being served
:: by a web server, the system still behaves as if it is because the
:: tooling here enforces the logic manually.
:: This is the where Windows typically looks for the PAC script URL.
:: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
:: AutoConfigURL = http://127.0.0.1/proxy.pac
:: That tells Windows to fetch the PAC file from your own machine via HTTP
:: http://127.0.0.1/proxy.pac
:: C:\data\sys\batch\proxy.pac
:: curl http://127.0.0.1/proxy.pac
::
:: You could point to the actual pac file but that's less universal
:: AutoConfigURL = file:///C:/data/sys/batch/proxy.pac
::
:: C:\app\network\psiphon\psiphon3.exe -mode=socks
:: Win+I > Settings > Network & Internet > Proxy > Manual proxy setup = on
:: Automatic proxy setup
:: Automatically detect settings = on
:: Use setup script = on
:: Script address = http://127.0.0.1/proxy.pac
:: Manual proxy setup
:: Use a proxy server = on
:: Address http=127.0.0.1:3736;https=127.0.0.1:3736;socks=127.0.0.1:1080
:: Port = <blank>
:: Use the proxy server except for addresses that start with the following entries. Use semicolons (;) to separate entries.
:: 10.*;172.16.*;172.17.*;172.18.*;172.19.*;172.20.*;172.21.*;172.22.*;172.23.*;172.24.*;172.25.*;172.26.*;172.27.*;172.28.*;172.29.*;172.30.*;172.31.*;192.168.*;169.254.*;[fc*];[fd*];[fe8*];[fe9*];[fea*];[feb*]
:: [x]Don't use the proxy server for local (intranet) addresses
::
:: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
:: AutoConfigURL = http://127.0.0.1/proxy.pac
::
:: C:\data\sys\batch\proxy.pac
::
:: Final Result
:: WinINET: Enabled and pointing to Psiphon
:: WinHTTP: Synced to match WinINET
:: PAC: Registry keys set, logic assumed, Auto-Detect enabled
:: The system is now fully aligned across all proxy layers.

echo [%DATE% %TIME%] Starting proxy check...

setlocal

set KEY="HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings"
set PACFILE=C:\data\sys\batch\proxy.pac

echo ==============================================
echo WINDOWS PROXY CONFIGURATION CHECK
echo ==============================================

REM --- PAC file existence check ---
if not exist "%PACFILE%" (
echo WARNING: PAC file not found at %PACFILE%
) else (
echo PAC file found at %PACFILE%
echo PAC file SHA256 hash:
certutil -hashfile "%PACFILE%" SHA256
)

REM --- WinINET (manual proxy) ---
echo(
echo [1] WinINET / Internet Settings
for /f "tokens=2,* skip=2" %%A in ('reg query %KEY% /v ProxyEnable

nul') do set ProxyEnable=%%B

for /f "tokens=2,* skip=2" %%A in ('reg query %KEY% /v ProxyServer

nul') do set ProxyServer=%%B

if "%ProxyEnable%"=="0x1" (
echo Proxy is ENABLED
echo Proxy server: %ProxyServer%
) else (
echo Proxy is DISABLED
)

REM --- WinHTTP proxy ---
echo(
echo [2] WinHTTP proxy (system/background services)
netsh winhttp show proxy

REM --- PAC (Proxy Auto-Config) & AutoDetect ---
echo(
echo [3] PAC / AutoDetect
for /f "tokens=2,* skip=2" %%A in ('reg query %KEY% /v AutoConfigURL

nul') do set PACurl=%%B

for /f "tokens=2,* skip=2" %%A in ('reg query %KEY% /v AutoDetect 2^>nul')
do set AutoDetect=%%B

if defined PACurl (
echo PAC script set: %PACurl%
) else (
echo No PAC script URL found.
)

if "%AutoDetect%"=="0x1" (
echo Auto-detect is ENABLED
) else (
echo Auto-detect is DISABLED
)


REM Added these debugging commands (v1p3)
echo(
echo [4] Psiphon and Mongoose process check
echo tasklist | findstr /i "psiphon3.exe mongoose.exe"
tasklist | findstr /i "psiphon3.exe mongoose.exe"

:: Added this insert to check for freegate proxy (v1p8)
echo(
echo [4b] Freegate process check
tasklist | findstr /i "fg790p.exe"

echo(
echo [5b] Freegate port binding check
netstat -ano | findstr :8580
netstat -ano | findstr :8581
:: END INSERT to check for freegate proxy (v1p8)

echo(
echo [5] Port binding check (Mongoose/Proxy)
echo netstat -ano | findstr :8080
netstat -ano | findstr :8080

echo(
echo [6] DNS resolution test
echo nslookup abc.com
nslookup abc.com

echo(
echo [7] Internet connectivity test
echo ping 8.8.8.8
ping 8.8.8.8

echo(
echo [8] Proxy test via curl
echo curl -x http://127.0.0.1:3736 http://abc.com --max-time 5
curl -x http://127.0.0.1:3736 http://abc.com --max-time 5

echo(
echo [9] .NET proxy settings (PowerShell)
echo powershell -Command "[System.Net.WebRequest]::DefaultWebProxy"
powershell -Command "[System.Net.WebRequest]::DefaultWebProxy"

echo(
echo [10] Network adapter configuration
echo ipconfig /all
ipconfig /all

echo(
echo [11] Network interface and routing diagnostics

echo netsh interface show interface
netsh interface show interface

echo(
echo route print
route print

echo(
echo curl --verbose http://abc.com
curl --verbose http://abc.com

REM Optional deeper trace (creates trace.txt in current folder)
echo(
echo curl --trace trace.txt http://abc.com
curl --trace trace.txt http://abc.com


echo(
echo Summary:
echo Proxy Enabled: %ProxyEnable%
echo Proxy Server: %ProxyServer%
echo PAC URL: %PACurl%
echo AutoDetect: %AutoDetect%

echo(
echo ==============================================
echo Check complete.
echo ==============================================

echo(
echo [12] Command Reference (manual run options)
echo certutil -hashfile "C:\data\sys\batch\proxy.pac" SHA256
echo reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable
echo reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer
echo netsh winhttp show proxy
echo reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v AutoConfigURL
echo reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v AutoDetect
echo tasklist | findstr /i "psiphon3.exe mongoose.exe"
echo netstat -ano | findstr :8080
echo nslookup abc.com
echo ping 8.8.8.8
echo curl -x http://127.0.0.1:3736 http://abc.com --max-time 5
echo powershell -Command "[System.Net.WebRequest]::DefaultWebProxy"
echo ipconfig /all
echo netsh interface show interface
echo route print
echo curl --verbose http://abc.com
echo curl --trace trace.txt http://abc.com
echo(
echo Freegate process check:
tasklist | findstr /i "fg790p.exe" || echo No Freegate process found.
echo(
echo Freegate port check:
netstat -ano | findstr :8580 || echo No listener on 8580
netstat -ano | findstr :8581 || echo No listener on 8581
REM Sometimes Freegate sets ProxyServer to 127.0.0.1:8590 in
REM Internet Options while actually listening on 8580 so check for that
echo(
echo ProxyServer registry value: %ProxyServer%
echo Expected Freegate listener: 127.0.0.1:8580

endlocal
pause

--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: alt.msdos.batch

UPDATE

When FreeGate starts, it "phones home" to the following each time:

[Tue 09/23/2025 11:15:21.19] Attempted launch: C:\data\sys\batch\dummybrowser.exe
"http://dongtaiwang.com/loc/phome.php"

By way of contrast, when Psiphon starts, it adds much more data:

[Tue 09/23/2025 11:15:21.19] Attempted launch: C:\data\sys\batch\dummybrowser.exe "https://ipfounder.net/?sponsor_id=1BA577C3C04280CF
&sponsor=psiphon
&client_region=US
&client_asn=6920
&client_platform=windows
&secret=580EfjEI23xL3hmyU6dgP4vSEVxdcEI7JDElxgjds7PHulSEE0vmOKpvzbqxyTvYtpmvsY4xMEnfWEnTghe6l8jiV3K5QSWmir2i6fDeKJD6EhL6DlmYTEMu2EE3YJvy3LdCUW7ncdVC6ipgWx06vznvDLbY1djfcfKECpfsQJei2q6tb0ESEh1QK3x3qXKvyjmNPc5J
&psireason=connect
&psicash=eyJtWXKhWEE0YSI6eyJjbEllbnKfcmVndW3uIjmiVVMiLCJjbEllbnKfdmVyc2lvbiI6IjE4NiIsInByb3BhW2E0dW3uX2NmYW5uWWxfdWQiOiI5MlEBQ0M1QlECKTA5NDKDIivic3BvbnNvcl3pWCI6IjECQzUyN0QzKDA5OTg1Q0YiLCJ1c2VyX2EnWW50IjmiUHNpcEhvbi1Qc2lDYXNmLVdpbmKvd3MiLCJ2IjmxfSvidEltWXN0YW1vIjmiMjAyNS0vOS0yM1QxNzmvODm0OC41NjKdIividE3rWW5zIjpudWxsLCJ2IjmxfQ"

Luckily, my dummybrowser.bat script captures that w/o letting it out,
but I figured folks might want to know their privacy may be impacted.

@echo off
REM C:\data\sys\batch\dummybrowser.bat 20250819
REM This is rev 2.0
REM All calls to the default web browser are intercepted & logged
REM C:\data\sys\batch\dummybrowser.bat 20250916 revision 1.8
REM C:\data\sys\batch\dummybrowser.bat 20250916 revision 1.9
REM Removed gVim launch so the log is now read only when displayed
REM C:\data\sys\batch\dummybrowser.bat 20250916 revision 2.0
REM Restored gVim launch in read-only mode to view log w/o locking
:: Batch to be converted to an exe to be easily set as the default browser
:: Start clean by deleting any existing log files.
:: del C:\data\sys\log\dummybrowser.log
:: Open admin prompt (Win+R > cmd {ctrl+shft+enter} & kill leftovers
:: taskkill /IM dummybrowser.exe /F
:: Start GitHub Bat_To_Exe_Converter_x64.exe
:: <https://github.com/l-urk/Bat-To-Exe-Converter-64-Bit/releases>
:: File > Open > C:\data\sys\batch\dummybrowser.bat
:: Options: Exe-Format: 32-bit | Console (Visible)
:: Leave all other fields blank/unchecked
:: Click Convert
:: Save as: C:\data\sys\batch\dummybrowser.exe
:: To test, run in a command prompt:
:: C:\data\sys\batch\dummybrowser.exe test123
:: [Tue 09/16/2025 16:55:50.72] Attempted launch: (fingerprint)
:: C:\data\sys\batch\dummybrowser.exe test123
:: C:\data\sys\batch\dummybrowser.exe "https://abc.com/?a=1&b=2"
:: Verify both entries in: C:\data\sys\log\dummybrowser.log
:: type C:\data\sys\log\dummybrowser.log
:: Confirm registry entry for default browser options exists.
:: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DummyBrowserHTML\shell\open\command]
:: @="\"C:\\data\\sys\\batch\\dummybrowser.exe\" \"%1\""
:: Check that dummybrowser is set as the default browser
:: Win+I > Apps > Default apps > Web browser > Choose Dummy Browser

set LOGFILE=C:\data\sys\log\dummybrowser.log

REM Append new entry
echo [%date% %time%] Attempted launch: %* >> %LOGFILE%

REM Open log in gVim read-only and exit immediately
start "" "C:\app\editor\txt\vim\vim82\gvim.exe" -R "%LOGFILE%"

exit /b
--
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: alt.msdos.batch

UPDATE

To test Freegate HTTP proxy against Psiphon free HTTP/SOCKS proxy, I've
been alternating them each day, where both run all day without complaint.

However, when I started testing Freegate HTTP proxy every other day with Psiphon HTTP/SOCKS proxy, I needed to update my start/stop/check scripts
to incorporate the different ports used as variables for the two proxies.

To that end, the checkproxy.bat script was updated to include both proxies.


@echo off
REM C:\data\sys\batch\checkproxy.bat 20250916
REM This is version 2.2
REM Custom unified Windows proxy diagnostic tool
REM v1.0 lists WinINET manual proxy, WinHTTP proxy, PAC/AutoDetect
REM v1.1 replaces echo. with echo( to avoid command misinterpretation
REM v1.2 adds PAC file existence check and SHA256 hash logging (114 lines)
REM v1.3 (152 lines) adds debugging (section 9)
REM v1.4 (161 lines) adds more debugging (section 10)
REM v1.5 (182 lines) adds more debugging (section 11)
REM v1.6 (204 lines) adds command reference (section 12)
REM v1.7 (205 lines) Added example.com which is reserved for demos/tests.
REM v1.8 (217 lines) Added check for freegate proxy in addition to psiphon
REM v1.9 (231 lines) Added output in final report to add freegate logging
REM v2.0 (271 lines) adds timestamped log (checkproxyYYYYMMDD_HHMMSS.log)
REM v2.1 (285 lines) parameterized HTTP port for freegate 8580 & psiphon 3736
REM v2.2 (299 lines) parameterized all the proxy ports throughout
REM Comment linelength limit ==================================================
REM 567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 12
:: Normally the pac file is served by a web server.
:: This script doesn't rely on Windows successfully fetching the PAC file
:: via HTTP. Instead, it Sets the registry key to point to the PAC URL
:: It assumes the PAC logic is known & trusted.
:: It uses proxy.cmd to apply proxy settings directly,
:: bypassing the need for Windows to interpret the PAC file
:: So even if http://127.0.0.1/proxy.pac isnot actually being served
:: by a web server, the system still behaves as if it is because the
:: tooling here enforces the logic manually.
:: This is the where Windows typically looks for the PAC script URL.
:: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
:: AutoConfigURL = http://127.0.0.1/proxy.pac
:: That tells Windows to fetch the PAC file from your own machine via HTTP
:: http://127.0.0.1/proxy.pac
:: C:\data\sys\batch\proxy.pac
:: curl http://127.0.0.1/proxy.pac
::
:: You could point to the actual pac file but that's less universal
:: AutoConfigURL = file:///C:/data/sys/batch/proxy.pac
::
:: C:\app\network\psiphon\psiphon3.exe -mode=socks
:: Win+I > Settings > Network & Internet > Proxy > Manual proxy setup = on
:: Automatic proxy setup
:: Automatically detect settings = on
:: Use setup script = on
:: Script address = http://127.0.0.1/proxy.pac
:: Manual proxy setup
:: Use a proxy server = on
:: Address http=127.0.0.1:3736;https=127.0.0.1:3736;socks=127.0.0.1:1080
:: Port = <blank>
:: Use the proxy server except for addresses that start with the following entries. Use semicolons (;) to separate entries.
:: 10.*;172.16.*;172.17.*;172.18.*;172.19.*;172.20.*;172.21.*;172.22.*;172.23.*;172.24.*;172.25.*;172.26.*;172.27.*;172.28.*;172.29.*;172.30.*;172.31.*;192.168.*;169.254.*;[fc*];[fd*];[fe8*];[fe9*];[fea*];[feb*]
:: [x]Don't use the proxy server for local (intranet) addresses
::
:: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
:: AutoConfigURL = http://127.0.0.1/proxy.pac
::
:: C:\data\sys\batch\proxy.pac
::
:: Final Result
:: WinINET: Enabled and pointing to Psiphon
:: WinHTTP: Synced to match WinINET
:: PAC: Registry keys set, logic assumed, Auto-Detect enabled
:: The system is now fully aligned across all proxy layers.
::
REM BELOW is the log wrapper (console output saved to a timestamped file) v2p0
set "LOGDIR=C:\data\sys\log"

if "%1"=="__LOGGING__" goto :run_script

for /f "tokens=1-4 delims=/ " %%a in ("%DATE%") do (
set DOW=%%a
set MM=%%b
set DD=%%c
set YYYY=%%d
)
for /f "tokens=1-3 delims=:." %%a in ("%TIME%") do (
set HH=%%a
set Min=%%b
set Sec=%%c
)
if "%HH:~0,1%"==" " set HH=0%HH:~1,1%

set LOGSTAMP=%YYYY%%MM%%DD%_%HH%%Min%%Sec%
set "LOGFILE=%LOGDIR%\checkproxy%LOGSTAMP%.log"
set "TMPTXT=%LOGDIR%\checkproxy%LOGSTAMP%.tmp"

if not exist "%LOGDIR%" md "%LOGDIR%" 2>nul

powershell -NoProfile -Command ^
" & { & cmd /c '\"%~f0\" __LOGGING__' 2>&1 | Tee-Object -FilePath '%TMPTXT%' }"

powershell -NoProfile -Command ^
" [System.IO.File]::WriteAllText('%LOGFILE%', (Get-Content -Raw -LiteralPath '%TMPTXT%'), (New-Object System.Text.UTF8Encoding($false))); Remove-Item -LiteralPath '%TMPTXT%' -ErrorAction SilentlyContinue"

echo(
echo Log created at %LOGFILE%
echo(
pause
exit /b

:run_script
REM ABOVE is the log wrapper (console output saved to a timestamped file) v2p0

set FREEGATE_HTTP_PORT=8580
set FREEGATE_HTTP_PORT_ALT=8581
set PSIPHON_HTTP_PORT=3736
set PSIPHON_SOCKS_PORT=1080

echo [%DATE% %TIME%] Starting proxy check...

setlocal

set KEY="HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings"
set PACFILE=C:\data\sys\batch\proxy.pac
REM v2.0 Replace the HTTP proxy port with a parameterized port
echo ==============================================
echo WINDOWS PROXY CONFIGURATION CHECK
echo ==============================================

REM --- PAC file existence check ---
if not exist "%PACFILE%" (
echo WARNING: PAC file not found at %PACFILE%
) else (
echo PAC file found at %PACFILE%
echo PAC file SHA256 hash:
certutil -hashfile "%PACFILE%" SHA256
)

REM --- WinINET (manual proxy) ---
echo(
echo [1] WinINET / Internet Settings
for /f "tokens=2,* skip=2" %%A in ('reg query %KEY% /v ProxyEnable 2^>nul') do set ProxyEnable=%%B
for /f "tokens=2,* skip=2" %%A in ('reg query %KEY% /v ProxyServer 2^>nul') do set ProxyServer=%%B
if "%ProxyEnable%"=="0x1" (
echo Proxy is ENABLED
echo Proxy server: %ProxyServer%
) else (
echo Proxy is DISABLED
)

REM --- WinHTTP proxy ---
echo(
echo [2] WinHTTP proxy (system/background services)
netsh winhttp show proxy

REM --- PAC (Proxy Auto-Config) & AutoDetect ---
echo(
echo [3] PAC / AutoDetect
for /f "tokens=2,* skip=2" %%A in ('reg query %KEY% /v AutoConfigURL 2^>nul') do set PACurl=%%B
for /f "tokens=2,* skip=2" %%A in ('reg query %KEY% /v AutoDetect 2^>nul') do set AutoDetect=%%B

if defined PACurl (
echo PAC script set: %PACurl%
) else (
echo No PAC script URL found.
)

if "%AutoDetect%"=="0x1" (
echo Auto-detect is ENABLED
) else (
echo Auto-detect is DISABLED
)


REM Added these debugging commands (v1p3)
echo(
echo [4] Psiphon and Mongoose process check
echo tasklist | findstr /i "psiphon3.exe mongoose.exe"
tasklist | findstr /i "psiphon3.exe mongoose.exe"

:: Added this insert to check for freegate proxy (v1p8)
echo(
echo [4b] Freegate process check
tasklist | findstr /i "fg790p.exe"

echo(
echo [5b] Freegate port binding check
REM netstat -ano | findstr :8580
netstat -ano | findstr :%FREEGATE_HTTP_PORT%
REM netstat -ano | findstr :8581
netstat -ano | findstr :%FREEGATE_HTTP_PORT_ALT%
:: END INSERT to check for freegate proxy (v1p8)

echo(
echo [5] Port binding check (Mongoose/Proxy)
echo netstat -ano | findstr :8080
netstat -ano | findstr :8080

echo(
echo [6] DNS resolution test
echo nslookup example.com
REM nslookup example.com
REM v2.1 suppressed stderr
nslookup example.com 2>nul

echo(
echo [7] Internet connectivity test
echo ping 8.8.8.8
ping 8.8.8.8

REM Using %PROXY_PORT% set to Freegate (8580) & then to Psiphon (3736)
echo(
echo [8] Proxy test via curl (Freegate and Psiphon)

REM --- Freegate test (8580) ---
REM set PROXY_PORT=8580
set PROXY_PORT=%FREEGATE_HTTP_PORT%
echo -- Freegate on port %PROXY_PORT% --
echo curl -x http://127.0.0.1:%PROXY_PORT% http://example.com --max-time 5
curl -x http://127.0.0.1:%PROXY_PORT% http://example.com --max-time 5

REM --- Psiphon test (3736) ---
REM set PROXY_PORT=3736
set PROXY_PORT=%PSIPHON_HTTP_PORT%
REM echo -- Psiphon on port %PROXY_PORT% --
echo curl -x http://127.0.0.1:%PROXY_PORT% http://example.com --max-time 5
curl -x http://127.0.0.1:%PROXY_PORT% http://example.com --max-time 5

echo(
echo [9] .NET proxy settings (PowerShell)
echo powershell -Command "[System.Net.WebRequest]::DefaultWebProxy"
powershell -Command "[System.Net.WebRequest]::DefaultWebProxy"

echo(
echo [10] Network adapter configuration
echo ipconfig /all
ipconfig /all

echo(
echo [11] Network interface and routing diagnostics

echo netsh interface show interface
netsh interface show interface

echo(
echo route print
route print

echo(
echo curl --verbose http://example.com
curl --verbose http://example.com

REM Optional deeper trace (creates trace.txt in current folder)
echo(
echo curl --trace trace.txt http://example.com
curl --trace trace.txt http://example.com


echo(
echo Summary:
echo Proxy Enabled: %ProxyEnable%
echo Proxy Server: %ProxyServer%
echo PAC URL: %PACurl%
echo AutoDetect: %AutoDetect%

echo(
echo ==============================================
echo Check complete.
echo ==============================================

echo(
echo [12] Command Reference (manual run options)
echo certutil -hashfile "C:\data\sys\batch\proxy.pac" SHA256
echo reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable
echo reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer
echo netsh winhttp show proxy
echo reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v AutoConfigURL
echo reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v AutoDetect
echo tasklist | findstr /i "psiphon3.exe mongoose.exe"
echo netstat -ano | findstr :8080
echo nslookup example.com
echo ping 8.8.8.8
REM echo curl -x http://127.0.0.1:3736 http://example.com --max-time 5
echo psiphon http port
echo curl -x http://127.0.0.1:%PSIPHON_HTTP_PORT% http://example.com --max-time 5
echo freegate http port
echo curl -x http://127.0.0.1:%FREEGATE_HTTP_PORT% http://example.com --max-time 5
echo powershell -Command "[System.Net.WebRequest]::DefaultWebProxy"
echo ipconfig /all
echo netsh interface show interface
echo route print
echo curl --verbose http://example.com
echo curl --trace trace.txt http://example.com
echo(
echo Freegate process check:
tasklist | findstr /i "fg790p.exe" || echo No Freegate process found.
echo(
echo Freegate port check:
REM netstat -ano | findstr :8580 || echo No listener on 8580
REM netstat -ano | findstr :8581 || echo No listener on 8581
netstat -ano | findstr :%FREEGATE_HTTP_PORT% || echo No listener on %FREEGATE_HTTP_PORT%
netstat -ano | findstr :%FREEGATE_HTTP_PORT_ALT% || echo No listener on %FREEGATE_HTTP_PORT_ALT%
REM Sometimes Freegate sets ProxyServer to 127.0.0.1:8590 in
REM Internet Options while actually listening on 8580 so check for that
echo(
echo ProxyServer registry value: %ProxyServer%
REM echo Expected Freegate listener: 127.0.0.1:8580
echo Expected Psiphon listener: 127.0.0.1:%PSIPHON_HTTP_PORT%
echo Expected Freegate listener: 127.0.0.1:%FREEGATE_HTTP_PORT%
endlocal
--
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: alt.msdos.batch

UPDATE

Q: How would Microsoft Windows Update know my IP address?
A: It can't. It only sees the proxy. Or VPN. But not my real IP address.

Whew! Good news.
Windows Update was NOT seeing my real IP as tested thoroughly
in multiple ways in the attached script that I wrote today.

Using the existing psiphon.bat starter, the Windows Update Service
(wuauserv) was is always flowing through the proxy service.

This is how to tell if Windows Update is CONFIGURED to use the proxy.

Win+R > cmd {ctrl+shft+rtn}

netsh winhttp show proxy

a. If it shows this, Windows Update is going straight out to the internet:
Direct access (no proxy server)
b. If it shows something like this, Windows Update is using the proxy:
Proxy Server(s) : http=127.0.0.1:8080;https=127.0.0.1:8080

Mine showed this (when Psiphon is running):
Current WinHTTP proxy settings:
Proxy Server(s) :
http=127.0.0.1:3095;https=127.0.0.1:3095;socks=127.0.0.1:1080
Bypass List : <local>;10.*;172.16.*;172.17.*;172.18.*;172.19.*;172.20.*;172.21.*;172.22.*;172.23.*;172.24.*;172.25.*;172.26.*;172.27.*;172.28.*;172.29.*;172.30.*;172.31.*;192.168.*;169.254.*;[fc*];[fd*];[fe8*];[fe9*];[fea*];[feb*]

Regarding: http=127.0.0.1:3095;https=127.0.0.1:3095
This means WinHTTP (and therefore Windows Update) is configured to send all HTTP and HTTPS traffic through a local proxy listening on port 3095.

Regarding: socks=127.0.0.1:1080
Unfortunately, even though there is a socks line, WinHTTP does not support SOCKS. It will ignore that part. Only the HTTP/HTTPS entries matter.

Regarding: <local>;10.*;172.16.* -iK 192.168.*;169.254.*;[fc*];[fd*];[fe*]
This means private/internal addresses are excluded from the proxy.

This is how to tell if Windows Update is actually USING the proxy!

Set up two windows, one of which is an admin window for Powershell:
Trigger a Windows Update scan manually in the Powershell admin window.

usoclient StartScan

Trigger a scan to watch port 3095 while that's running:

netstat -ano | findstr :3095

TCP 127.0.0.1:3095 0.0.0.0:0 LISTENING 9452
TCP 127.0.0.1:3095 127.0.0.1:3151 ESTABLISHED 9452
TCP 127.0.0.1:3143 127.0.0.1:3095 TIME_WAIT 0
TCP 127.0.0.1:3144 127.0.0.1:3095 TIME_WAIT 0
TCP 127.0.0.1:3145 127.0.0.1:3095 TIME_WAIT 0
TCP 127.0.0.1:3151 127.0.0.1:3095 ESTABLISHED 9108

Rather than race the clock, we can run the netstat every second first.

netstat -ano 1 | findstr :3095

I tested Windows Update which is using the proxy as we would want it to
with Psiphon (even with the PAC file set which blocks microsoft.com).

On purpose, I waited to see what would happen when Microsoft stopped
updating Windows 10, and specifically if a free ESU would be offered.

At midnight, on October 14th to 15th, I watched Windows Update finish &
show this prompt to get the ESU if I create an MSA & set up a backup.
<https://i.postimg.cc/Dwv6M7Lr/windowseol01.jpg>

I have NOT created the MSA yet, because it takes about a month on TOR to
get ProtonMail to reliably accept verification emails (ask me how I know
that, where ProtonMail will permanently disable verifications if you rush).

In the interim, I wrote up my best guess as to the absolute bare minimum a user in the USA would need to do in order to qualify for the free ESU.
*Tutorial:*
*How to set up Windows 10 free ESU using bare-minimum requirements*
<https://i2pn2.pugleaf.net/groups/alt.comp.microsoft.windows/articles/4932>

With that done, what's left is to create a private email on TOR
which doesn't ask for another email or for a phone number to create
and use it for about a month with "normal-looking traffic.

Then I can create the MSA account.
But in the interim, I need to keep Microsoft from seeing my real IP
during the Windows Update process (which uses WinHTTP when proxied).

Strategy:
a. Microsoft does NOT get your real IP address
b. Microsoft does not get any information from your email address MSA

For that strategy, you can be on VPN all the time, but a proxy is faster.
Much faster. And you can always tack on the VPN before or after the proxy.

Since I already have the psiphon.bat script starting the proxy, I wrote and tested the script below, which "could" run the Windows Update but I
hesitated to allow the script itself to run the Windows Update from inside
the script because then it would only work on a system that has added
specific PowerShell compoents (necessary to run the Windows Update).

Instead, I made the script need an OUTSIDE manual call to the Windows
Update GUI (which is the most reliable way & still be compatible for everyone).

Below is the script that I tested on my machine to check if Windows Update
is getting my real IP address, or the Psiphon proxy IP address instead.

The use model is simple:
a. Run the script
b. While the script is running, manually run a Windows Update check
c. Kill the script

The log file will look something like this if your proxy is trapping calls.
==============================================
[Thu 10/16/2025 6:01:07.59] Starting scan
[Thu 10/16/2025 6:01:07.63] PID=9452 Proc=psiphon-tunnel-core.exe
[Thu 10/16/2025 6:01:07.82] monitoring...
[Thu 10/16/2025 6:01:12.22] PID=0 Proc=System
[Thu 10/16/2025 6:01:12.22] *** WINDOWS UPDATE HIT *** PID=5712 Proc=svchost.exe
[Thu 10/16/2025 6:01:12.22] PID=9452 Proc=psiphon-tunnel-core.exe
[Thu 10/16/2025 6:01:12.22] PID=9452 Proc=psiphon-tunnel-core.exe
[Thu 10/16/2025 6:01:15.31] monitoring...
[Thu 10/16/2025 6:01:20.16] PID=0 Proc=System
[Thu 10/16/2025 6:01:20.16] *** WINDOWS UPDATE HIT *** PID=5712 Proc=svchost.exe
[Thu 10/16/2025 6:01:20.16] PID=9452 Proc=psiphon-tunnel-core.exe
[Thu 10/16/2025 6:01:20.16] PID=9452 Proc=psiphon-tunnel-core.exe
[Thu 10/16/2025 6:01:22.87] monitoring...
[Thu 10/16/2025 6:01:27.15] PID=0 Proc=System
[Thu 10/16/2025 6:01:27.15] *** WINDOWS UPDATE HIT *** PID=5712 Proc=svchost.exe
[Thu 10/16/2025 6:01:27.15] PID=9452 Proc=psiphon-tunnel-core.exe
[Thu 10/16/2025 6:01:27.15] PID=9452 Proc=psiphon-tunnel-core.exe
[Thu 10/16/2025 6:01:29.89] monitoring...
[Thu 10/16/2025 6:01:34.18] PID=0 Proc=System
[Thu 10/16/2025 6:01:34.18] PID=0 Proc=System
[Thu 10/16/2025 6:01:34.18] PID=0 Proc=System
[Thu 10/16/2025 6:01:34.18] PID=9452 Proc=psiphon-tunnel-core.exe
[Thu 10/16/2025 6:01:34.61] monitoring...
[Thu 10/16/2025 6:01:39.14] PID=0 Proc=System
[Thu 10/16/2025 6:01:39.14] PID=0 Proc=System
[Thu 10/16/2025 6:01:39.14] PID=0 Proc=System
[Thu 10/16/2025 6:01:39.14] PID=0 Proc=System
[Thu 10/16/2025 6:01:39.14] *** WINDOWS UPDATE HIT *** PID=5712 Proc=svchost.exe
[Thu 10/16/2025 6:01:39.14] PID=9452 Proc=psiphon-tunnel-core.exe
[Thu 10/16/2025 6:01:39.14] PID=9452 Proc=psiphon-tunnel-core.exe
[Thu 10/16/2025 6:01:42.12] monitoring...
[Thu 10/16/2025 6:01:47.20] PID=0 Proc=System
[Thu 10/16/2025 6:01:47.20] PID=0 Proc=System
[Thu 10/16/2025 6:01:47.20] PID=0 Proc=System
[Thu 10/16/2025 6:01:47.20] *** WINDOWS UPDATE HIT *** PID=5712 Proc=svchost.exe
[Thu 10/16/2025 6:01:47.20] PID=9452 Proc=psiphon-tunnel-core.exe
[Thu 10/16/2025 6:01:47.20] PID=9452 Proc=psiphon-tunnel-core.exe
[Thu 10/16/2025 6:01:50.16] monitoring...
[Thu 10/16/2025 6:01:55.21] PID=0 Proc=System
[Thu 10/16/2025 6:01:55.21] PID=0 Proc=System
[Thu 10/16/2025 6:01:55.21] PID=0 Proc=System
[Thu 10/16/2025 6:01:55.21] PID=0 Proc=System
[Thu 10/16/2025 6:01:55.21] PID=0 Proc=System
[Thu 10/16/2025 6:01:55.21] PID=9452 Proc=psiphon-tunnel-core.exe
[Thu 10/16/2025 6:01:55.84] monitoring...
[Thu 10/16/2025 6:02:00.13] PID=0 Proc=System
[Thu 10/16/2025 6:02:00.13] PID=0 Proc=System
[Thu 10/16/2025 6:02:00.13] PID=0 Proc=System
[Thu 10/16/2025 6:02:00.13] PID=0 Proc=System
[Thu 10/16/2025 6:02:00.13] PID=0 Proc=System
[Thu 10/16/2025 6:02:00.13] *** WINDOWS UPDATE HIT *** PID=5712 Proc=svchost.exe
[Thu 10/16/2025 6:02:00.13] PID=9452 Proc=psiphon-tunnel-core.exe
[Thu 10/16/2025 6:02:00.13] PID=9452 Proc=psiphon-tunnel-core.exe
[Thu 10/16/2025 6:02:03.30] monitoring...
[Thu 10/16/2025 6:02:08.15] PID=0 Proc=System
[Thu 10/16/2025 6:02:08.15] PID=0 Proc=System
[Thu 10/16/2025 6:02:08.15] PID=0 Proc=System
[Thu 10/16/2025 6:02:08.15] PID=0 Proc=System
[Thu 10/16/2025 6:02:08.15] *** WINDOWS UPDATE HIT *** PID=5712 Proc=svchost.exe
[Thu 10/16/2025 6:02:08.15] PID=9452 Proc=psiphon-tunnel-core.exe
[Thu 10/16/2025 6:02:08.15] PID=9452 Proc=psiphon-tunnel-core.exe
[Thu 10/16/2025 6:02:11.29] monitoring...
[Thu 10/16/2025 6:02:16.15] PID=0 Proc=System
[Thu 10/16/2025 6:02:16.15] PID=0 Proc=System
[Thu 10/16/2025 6:02:16.15] PID=0 Proc=System
[Thu 10/16/2025 6:02:16.15] PID=0 Proc=System
[Thu 10/16/2025 6:02:16.15] PID=0 Proc=System
[Thu 10/16/2025 6:02:16.15] PID=9452 Proc=psiphon-tunnel-core.exe
[Thu 10/16/2025 6:02:16.79] monitoring...

so that everyone always benefits from the appreciable efforts I expend
to help them, here is the script for your use for testing purposes..

@echo off
REM C:\data\sys\batch\checkwindowsupdate.bat 20251016 version 1.0
REM This is version 1.5
REM Tool to log details (i.e., use of proxy) when an update scan is done.
REM v1.0 20251016, 91 lines
REM Runs "usoclient StartScan" to kick off a Windows Update check.
REM Optionally run "usoclient StartInteractiveScan" for a deeper scan.
REM Every 5 seconds, checks for connections on port 3095.
REM For each PID using that port, resolves the process name
REM (svchost.exe for Windows Update).
REM Creates a timestamped log file in C:\data\sys\log\.
REM Appends timestamp + PID + process name to the log.
REM v1.1 20251016, 101 lines
REM Modified the port to be a variable
REM Padded single-digit timestamps in logfile for consistent sorting
REM v1.2 20251016, 113 lines
REM Added highlight for the wuauserv process
REM If the process is not svchost.exe, it logs normally.
REM If it is svchost.exe, it runs a quick PowerShell check:
REM Which looks up the services hosted by that PID.
REM If one of them is wuauserv, it writes a highlighted line:
REM [date time] *** WINDOWS UPDATE HIT *** PID=736 Proc=svchost.exe
REM Otherwise, it logs normally.
REM v1.3 20251016, 118 lines
REM Fixed %%a was used but never set, which breaks the inner loop.
REM v1.4 20251016, 123 lines
REM Commented out "usoclient StartScan" because it won't run if cached
REM Added "usoclient StartInteractiveScan" as it will run even if cached
REM v1.5 20251016, 138 lines
REM Added a heartbeat to confirm the loop is alive
REM Gave up on the usoclient commands above.
REM Don't want to make the script not work on everyone else's PC
REM But if I wanted to run the update in this script, I need to do this
REM Install-Module PSWindowsUpdate
REM Import-Module PSWindowsUpdate
REM Get-WindowsUpdate -MicrosoftUpdate -AcceptAll -IgnoreReboot
REM Install-Module PSWindowsUpdate
REM But even that requires admin so let's just run the update in the GUI
REM So this is no longer a tool to trigger Windows Update & log proxy hits
REM It just logs proxy hits when the Windows Update is manually triggered.
REM Comment linelength limit ==================================================
REM 567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 12
:: This is how to tell if Windows Update is CONFIGURED to use the proxy.
::
:: Win+R > cmd {ctrl+shft+rtn}
:: C:\> netsh winhttp show proxy
::
:: a. If it shows this, Windows Update is going straight out to the internet:
:: Direct access (no proxy server)
:: b. If it shows something like this, Windows Update is using the proxy:
:: Proxy Server(s) : http=127.0.0.1:8080;https=127.0.0.1:8080
::
:: Mine showed this:
:: Current WinHTTP proxy settings:
:: Proxy Server(s) : http=127.0.0.1:3095;https=127.0.0.1:3095;socks=127.0.0.1:1080
:: Bypass List : <local>;10.*;172.16.*;172.17.*;172.18.*;172.19.*;172.20.*;172.21.*;172.22.*;172.23.*;172.24.*;172.25.*;172.26.*;172.27.*;172.28.*;172.29.*;172.30.*;172.31.*;192.168.*;169.254.*;[fc*];[fd*];[fe8*];[fe9*];[fea*];[feb*]
::
:: Regarding: http=127.0.0.1:3095;https=127.0.0.1:3095
:: This means WinHTTP (and therefore Windows Update) is configured to send all HTTP and HTTPS traffic through a local proxy listening on port 3095.
::
:: Regarding: socks=127.0.0.1:1080
:: Unfortunately, even though there is a socks line, WinHTTP does not support SOCKS. It will ignore that part. Only the HTTP/HTTPS entries matter.
::
:: Regarding: <local>;10.*;172.16.* rCa 192.168.*;169.254.*;[fc*];[fd*];[fe*]
:: This means private/internal addresses are excluded from the proxy.
::
:: This is how to tell if Windows Update is actually USING the proxy!
::
:: Set up two windows, one of which is an admin window for Powershell:
:: Trigger a Windows Update scan manually in the Powershell admin window.
:: PS:> usoclient StartScan
:: Trigger a scan to watch port 3095 while that's running:
:: C:\> netstat -ano | findstr :3095
:: TCP 127.0.0.1:3095 0.0.0.0:0 LISTENING 9452
:: TCP 127.0.0.1:3095 127.0.0.1:3151 ESTABLISHED 9452
:: TCP 127.0.0.1:3143 127.0.0.1:3095 TIME_WAIT 0
:: TCP 127.0.0.1:3144 127.0.0.1:3095 TIME_WAIT 0
:: TCP 127.0.0.1:3145 127.0.0.1:3095 TIME_WAIT 0
:: TCP 127.0.0.1:3151 127.0.0.1:3095 ESTABLISHED 9108
::
:: Rather than race the clock, we can run the netstat every second first.
:: C:\> netstat -ano 1 | findstr :3095
:: This proves that the process found is the Windows Update service
:: PS C:\Windows\system32> Get-CimInstance Win32_Service | Where-Object { $_.ProcessId -eq 736 } | Select-Object Name, DisplayName
::
:: Name DisplayName
:: ---- -----------
:: wuauserv Windows Update
::
::
:: NOTE: Port 3095 is used here because that's the port our local
:: HTTP-to-SOCKS proxy is configured to listen on.
:: You can verify this by checking your WinHTTP proxy settings:
:: netsh winhttp show proxy
:: If it shows http=127.0.0.1:3095, then this script will work as-is.
:: Otherwise, update the port number below to match your actual proxy listener.

set PROXYPORT=3095

set LOGDIR=C:\data\sys\log
if not exist "%LOGDIR%" md "%LOGDIR%"

set hour=%TIME:~0,2%
if "%hour:~0,1%"==" " set hour=0%hour:~1,1%

set LOGFILE=%LOGDIR%\update_proxy_hits_%DATE:~10,4%%DATE:~4,2%%DATE:~7,2%_%hour%%TIME:~3,2%%TIME:~6,2%.log

echo Starting Windows Update scan and proxy logging...
echo Log file: %LOGFILE%
echo Press Ctrl+C to stop.
echo ============================================== >> "%LOGFILE%"
echo [%DATE% %TIME%] Starting scan >> "%LOGFILE%"

:: Trigger Windows Update scan (might not run if results are recently cached)
REM usoclient StartScan
:: Trigger Windows Update scan (should trigger even if it was cached recently)
usoclient StartInteractiveScan

:: Continuous logging of connections to port 3095
:loop
for /f "tokens=5" %%a in ('netstat -ano ^| findstr :%PROXYPORT%') do (
for /f "tokens=1,*" %%b in ('tasklist /fi "PID eq %%a" /fo table /nh 2^>nul') do (
if /i "%%b"=="svchost.exe" (
rem Check if this svchost is hosting Windows Update
powershell -command "if ((Get-CimInstance Win32_Service | Where-Object { $_.ProcessId -eq %%a }).Name -eq 'wuauserv') { Write-Output '[%DATE% %TIME%] *** WINDOWS UPDATE HIT *** PID=%%a Proc=%%b' } else { Write-Output '[%DATE% %TIME%] PID=%%a Proc=%%b' }" >> "%LOGFILE%"
) else (
echo [%DATE% %TIME%] PID=%%a Proc=%%b >> "%LOGFILE%"
)
)
)

:: Add a heartbeat to confirm the loop is alive
echo [%DATE% %TIME%] monitoring... >> "%LOGFILE%"
timeout /t 5 >nul

goto loop

:: end of C:\data\sys\batch\checkwindowsupdate.bat
--
The main point of Usenet is for intelligent people to help each other, &
for results to be archived so that anyone can access our immense knowledge.
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: alt.msdos.batch

Marion wrote:

Q: How would Microsoft Windows Update know my IP address?
A: It can't. It only sees the proxy. Or VPN. But not my real IP address.

UPDATE

Of course, I had to remove the microsoft domains from my PAC file, where I
want to thank Andy Burns for teaching me what the PAC file does as I had
never heard of it until I started this quest to build my own proxy client.


/*
proxy.pac C:\data\sys\batch\proxy.pac (20250902)
This is version 1.4
Selectively bypass proxy for sites sensitive to tunneling or IP shifts:
- Google services (search, mail, etc.)
- Amazon (especially the Amazon Vine Voice program)
- Speicific Microsoft domains (Copilot)
All other traffic routed through local SOCKS proxy at 127.0.0.1:1080
- Including Windows Update

Useful for split-tunnel setups where trusted domains go direct
but everything else is encrypted via Psiphon SOCKS5 proxy.

If needed, test PAC web access and fundamental logic with:
- https://pactester.brdbnt.com/
- https://github.com/termsl/WPADChecker
- curl http://127.0.0.1/proxy.pac

v1.0 20250902(added Amazon Vine Voice https://amazon.com/vine/about)
v1.1 20250910(added Google Gmail but I need to add it to Thunderbird)
v1.2 20250918(added Microsoft sites for practice adding domains)
v1.3 20251016(removed Microsoft domains for Windows-Update reasons)
v1.4 20251016(rewrote to eliminate Windows-Update altogether)
*/

function FindProxyForURL(url, host) {
// Bypass Gmail & Google
if (shExpMatch(host, "*.google.com") ||
shExpMatch(host, "*.gmail.com") ||
shExpMatch(host, "mail.google.com")) {
return "DIRECT";
}

// Bypass Amazon Vine
if (shExpMatch(host, "*.amazon.com") ||
shExpMatch(host, "amazon.com")) {
return "DIRECT";
}

// Keep Copilot direct for stability
if (shExpMatch(host, "*.copilot.microsoft.com")) {
return "DIRECT";
}

// All other traffic, including Microsoft Update, Bing, etc. ? proxy
return "SOCKS 127.0.0.1:1080";
}
--
The point of Usenet is for smart people to help each other & for results
to be archived so that anyone can access our immense tribal knowledge.
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: alt.msdos.batch

UPDATE:

Now that I have multiple proxies (Tor & Psiphon) working with every Windows TCP/UDP binary that I want to be proxied (e.g., curl, powershell, etc.),
it's time to make sure there aren't any leaks, which takes thoughtful
effort to catch (since you can't catch what you're not testing for).

To that end, I wrote this rather detailed testing script, but the problem
is that the output is verbose, so it doesn't give an easy yes/no answer.

Hence, after posting this proxy-testing script, I will post a much simpler proxy test, which outputs a formatted PASS/FAIL to whether or not your IP address is proxied through Tor/Psiphon free no-registration proxy servers.

@echo off
REM C:\data\sys\batch\checkproxy.bat 20250916
REM This is version 2.2
REM Custom unified Windows proxy diagnostic tool
REM v1.0 lists WinINET manual proxy, WinHTTP proxy, PAC/AutoDetect
REM v1.1 replaces echo. with echo( to avoid command misinterpretation
REM v1.2 adds PAC file existence check and SHA256 hash logging (114 lines)
REM v1.3 (152 lines) adds debugging (section 9)
REM v1.4 (161 lines) adds more debugging (section 10)
REM v1.5 (182 lines) adds more debugging (section 11)
REM v1.6 (204 lines) adds command reference (section 12)
REM v1.7 (205 lines) Added example.com which is reserved for demos/tests.
REM v1.8 (217 lines) Added check for freegate proxy in addition to psiphon
REM v1.9 (231 lines) Added output in final report to add freegate logging
REM v2.0 (271 lines) adds timestamped log (checkproxyYYYYMMDD_HHMMSS.log)
REM v2.1 (285 lines) parameterized HTTP port for freegate 8580 & psiphon 3736
REM v2.2 (299 lines) parameterized all the proxy ports throughout
REM Comment linelength limit ==================================================
REM 567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 12
:: Normally the pac file is served by a web server.
:: This script doesn't rely on Windows successfully fetching the PAC file
:: via HTTP. Instead, it Sets the registry key to point to the PAC URL
:: It assumes the PAC logic is known & trusted.
:: It uses proxy.cmd to apply proxy settings directly,
:: bypassing the need for Windows to interpret the PAC file
:: So even if http://127.0.0.1/proxy.pac isnot actually being served
:: by a web server, the system still behaves as if it is because the
:: tooling here enforces the logic manually.
:: This is the where Windows typically looks for the PAC script URL.
:: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
:: AutoConfigURL = http://127.0.0.1/proxy.pac
:: That tells Windows to fetch the PAC file from your own machine via HTTP
:: http://127.0.0.1/proxy.pac
:: C:\data\sys\batch\proxy.pac
:: curl http://127.0.0.1/proxy.pac
::
:: You could point to the actual pac file but that's less universal
:: AutoConfigURL = file:///C:/data/sys/batch/proxy.pac
::
:: C:\app\network\psiphon\psiphon3.exe -mode=socks
:: Win+I > Settings > Network & Internet > Proxy > Manual proxy setup = on
:: Automatic proxy setup
:: Automatically detect settings = on
:: Use setup script = on
:: Script address = http://127.0.0.1/proxy.pac
:: Manual proxy setup
:: Use a proxy server = on
:: Address http=127.0.0.1:3736;https=127.0.0.1:3736;socks=127.0.0.1:1080
:: Port = <blank>
:: Use the proxy server except for addresses that start with the following entries. Use semicolons (;) to separate entries.
:: 10.*;172.16.*;172.17.*;172.18.*;172.19.*;172.20.*;172.21.*;172.22.*;172.23.*;172.24.*;172.25.*;172.26.*;172.27.*;172.28.*;172.29.*;172.30.*;172.31.*;192.168.*;169.254.*;[fc*];[fd*];[fe8*];[fe9*];[fea*];[feb*]
:: [x]Don't use the proxy server for local (intranet) addresses
::
:: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
:: AutoConfigURL = http://127.0.0.1/proxy.pac
::
:: C:\data\sys\batch\proxy.pac
::
:: Final Result
:: WinINET: Enabled and pointing to Psiphon
:: WinHTTP: Synced to match WinINET
:: PAC: Registry keys set, logic assumed, Auto-Detect enabled
:: The system is now fully aligned across all proxy layers.
::
REM BELOW is the log wrapper (console output saved to a timestamped file) v2p0
set "LOGDIR=C:\data\sys\log"

if "%1"=="__LOGGING__" goto :run_script

for /f "tokens=1-4 delims=/ " %%a in ("%DATE%") do (
set DOW=%%a
set MM=%%b
set DD=%%c
set YYYY=%%d
)
for /f "tokens=1-3 delims=:." %%a in ("%TIME%") do (
set HH=%%a
set Min=%%b
set Sec=%%c
)
if "%HH:~0,1%"==" " set HH=0%HH:~1,1%

set LOGSTAMP=%YYYY%%MM%%DD%_%HH%%Min%%Sec%
set "LOGFILE=%LOGDIR%\checkproxy%LOGSTAMP%.log"
set "TMPTXT=%LOGDIR%\checkproxy%LOGSTAMP%.tmp"

if not exist "%LOGDIR%" md "%LOGDIR%" 2>nul

powershell -NoProfile -Command ^
" & { & cmd /c '\"%~f0\" __LOGGING__' 2>&1 | Tee-Object -FilePath '%TMPTXT%' }"

powershell -NoProfile -Command ^
" [System.IO.File]::WriteAllText('%LOGFILE%', (Get-Content -Raw -LiteralPath '%TMPTXT%'), (New-Object System.Text.UTF8Encoding($false))); Remove-Item -LiteralPath '%TMPTXT%' -ErrorAction SilentlyContinue"

echo(
echo Log created at %LOGFILE%
echo(
pause
exit /b

:run_script
REM ABOVE is the log wrapper (console output saved to a timestamped file) v2p0

set FREEGATE_HTTP_PORT=8580
set FREEGATE_HTTP_PORT_ALT=8581
set PSIPHON_HTTP_PORT=3736
set PSIPHON_SOCKS_PORT=1080

echo [%DATE% %TIME%] Starting proxy check...

setlocal

set KEY="HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings"
set PACFILE=C:\data\sys\batch\proxy.pac
REM v2.0 Replace the HTTP proxy port with a parameterized port
echo ==============================================
echo WINDOWS PROXY CONFIGURATION CHECK
echo ==============================================

REM --- PAC file existence check ---
if not exist "%PACFILE%" (
echo WARNING: PAC file not found at %PACFILE%
) else (
echo PAC file found at %PACFILE%
echo PAC file SHA256 hash:
certutil -hashfile "%PACFILE%" SHA256
)

REM --- WinINET (manual proxy) ---
echo(
echo [1] WinINET / Internet Settings
for /f "tokens=2,* skip=2" %%A in ('reg query %KEY% /v ProxyEnable 2^>nul') do set ProxyEnable=%%B
for /f "tokens=2,* skip=2" %%A in ('reg query %KEY% /v ProxyServer 2^>nul') do set ProxyServer=%%B
if "%ProxyEnable%"=="0x1" (
echo Proxy is ENABLED
echo Proxy server: %ProxyServer%
) else (
echo Proxy is DISABLED
)

REM --- WinHTTP proxy ---
echo(
echo [2] WinHTTP proxy (system/background services)
netsh winhttp show proxy

REM --- PAC (Proxy Auto-Config) & AutoDetect ---
echo(
echo [3] PAC / AutoDetect
for /f "tokens=2,* skip=2" %%A in ('reg query %KEY% /v AutoConfigURL 2^>nul') do set PACurl=%%B
for /f "tokens=2,* skip=2" %%A in ('reg query %KEY% /v AutoDetect 2^>nul') do set AutoDetect=%%B

if defined PACurl (
echo PAC script set: %PACurl%
) else (
echo No PAC script URL found.
)

if "%AutoDetect%"=="0x1" (
echo Auto-detect is ENABLED
) else (
echo Auto-detect is DISABLED
)


REM Added these debugging commands (v1p3)
echo(
echo [4] Psiphon and Mongoose process check
echo tasklist | findstr /i "psiphon3.exe mongoose.exe"
tasklist | findstr /i "psiphon3.exe mongoose.exe"

:: Added this insert to check for freegate proxy (v1p8)
echo(
echo [4b] Freegate process check
tasklist | findstr /i "fg790p.exe"

echo(
echo [5b] Freegate port binding check
REM netstat -ano | findstr :8580
netstat -ano | findstr :%FREEGATE_HTTP_PORT%
REM netstat -ano | findstr :8581
netstat -ano | findstr :%FREEGATE_HTTP_PORT_ALT%
:: END INSERT to check for freegate proxy (v1p8)

echo(
echo [5] Port binding check (Mongoose/Proxy)
echo netstat -ano | findstr :8080
netstat -ano | findstr :8080

echo(
echo [6] DNS resolution test
echo nslookup example.com
REM nslookup example.com
REM v2.1 suppressed stderr
nslookup example.com 2>nul

echo(
echo [7] Internet connectivity test
echo ping 8.8.8.8
ping 8.8.8.8

REM Using %PROXY_PORT% set to Freegate (8580) & then to Psiphon (3736)
echo(
echo [8] Proxy test via curl (Freegate and Psiphon)

REM --- Freegate test (8580) ---
REM set PROXY_PORT=8580
set PROXY_PORT=%FREEGATE_HTTP_PORT%
echo -- Freegate on port %PROXY_PORT% --
echo curl -x http://127.0.0.1:%PROXY_PORT% http://example.com --max-time 5
curl -x http://127.0.0.1:%PROXY_PORT% http://example.com --max-time 5

REM --- Psiphon test (3736) ---
REM set PROXY_PORT=3736
set PROXY_PORT=%PSIPHON_HTTP_PORT%
REM echo -- Psiphon on port %PROXY_PORT% --
echo curl -x http://127.0.0.1:%PROXY_PORT% http://example.com --max-time 5
curl -x http://127.0.0.1:%PROXY_PORT% http://example.com --max-time 5

echo(
echo [9] .NET proxy settings (PowerShell)
echo powershell -Command "[System.Net.WebRequest]::DefaultWebProxy"
powershell -Command "[System.Net.WebRequest]::DefaultWebProxy"

echo(
echo [10] Network adapter configuration
echo ipconfig /all
ipconfig /all

echo(
echo [11] Network interface and routing diagnostics

echo netsh interface show interface
netsh interface show interface

echo(
echo route print
route print

echo(
echo curl --verbose http://example.com
curl --verbose http://example.com

REM Optional deeper trace (creates trace.txt in current folder)
echo(
echo curl --trace trace.txt http://example.com
curl --trace trace.txt http://example.com


echo(
echo Summary:
echo Proxy Enabled: %ProxyEnable%
echo Proxy Server: %ProxyServer%
echo PAC URL: %PACurl%
echo AutoDetect: %AutoDetect%

echo(
echo ==============================================
echo Check complete.
echo ==============================================

echo(
echo [12] Command Reference (manual run options)
echo certutil -hashfile "C:\data\sys\batch\proxy.pac" SHA256
echo reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable
echo reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer
echo netsh winhttp show proxy
echo reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v AutoConfigURL
echo reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v AutoDetect
echo tasklist | findstr /i "psiphon3.exe mongoose.exe"
echo netstat -ano | findstr :8080
echo nslookup example.com
echo ping 8.8.8.8
REM echo curl -x http://127.0.0.1:3736 http://example.com --max-time 5
echo psiphon http port
echo curl -x http://127.0.0.1:%PSIPHON_HTTP_PORT% http://example.com --max-time 5
echo freegate http port
echo curl -x http://127.0.0.1:%FREEGATE_HTTP_PORT% http://example.com --max-time 5
echo powershell -Command "[System.Net.WebRequest]::DefaultWebProxy"
echo ipconfig /all
echo netsh interface show interface
echo route print
echo curl --verbose http://example.com
echo curl --trace trace.txt http://example.com
echo(
echo Freegate process check:
tasklist | findstr /i "fg790p.exe" || echo No Freegate process found.
echo(
echo Freegate port check:
REM netstat -ano | findstr :8580 || echo No listener on 8580
REM netstat -ano | findstr :8581 || echo No listener on 8581
netstat -ano | findstr :%FREEGATE_HTTP_PORT% || echo No listener on %FREEGATE_HTTP_PORT%
netstat -ano | findstr :%FREEGATE_HTTP_PORT_ALT% || echo No listener on %FREEGATE_HTTP_PORT_ALT%
REM Sometimes Freegate sets ProxyServer to 127.0.0.1:8590 in
REM Internet Options while actually listening on 8580 so check for that
echo(
echo ProxyServer registry value: %ProxyServer%
REM echo Expected Freegate listener: 127.0.0.1:8580
echo Expected Psiphon listener: 127.0.0.1:%PSIPHON_HTTP_PORT%
echo Expected Freegate listener: 127.0.0.1:%FREEGATE_HTTP_PORT%
endlocal

REM end of C:\data\sys\batch\checkproxy.bat
--
Helping others & learning from them is what this Usenet ng is all about.
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: alt.msdos.batch

Marion wrote:

Hence, after posting this proxy-testing script, I will post a much simpler proxy test, which outputs a formatted PASS/FAIL to whether or not your IP address is proxied through Tor/Psiphon free no-registration proxy servers.

Here is a vastly simpler pass/fail script to test if your IP is truly tunneled.

Note that if the proxy is as good as my setup, it's difficult to skirt past it. But it can be done. As shown below. Using direct DNS queries, for example.

@echo off
REM C:\data\sys\batch\checkip.bat 20251029
REM This is version 1p2
REM Designed to be a simple proxy check to compare ISP vs Psiphon exit IP
REM Outputs: Proxy OK: ISP=<your real IP> Psiphon=<proxy IP>
REM Or it outputs: Proxy FAIL: both=<your real IP>
REM v1p0 20251029
REM compares IP addresses with & without proxy
REM Drat. The proxy is well entrenced. Curl just can't get around it.
REM This failed: curl -s https://api.ipify.org
REM because, while curl doesn't use WinINET/WinHTTP,
REM curl was being proxied by proxybridge.
REM This failed: curl -s --noproxy "*" https://api.ipify.org
REM because --noproxy only tells curl to ignore configured proxies.
REM It doesn't bypass ProxyBridge's process-level interception
REM The --noproxy doesn't bypass ProxyBridge's interception.
REM This failed: curl -s --proxy 127.0.0.1:34010
REM because the local ProxyBridge relay port is then proxied by Psiphon.
REM That just pointed curl at ProxyBridge's local relay,
REM which itself forwards into Psiphon. So we still got Psiphon's IP.
REM This failed: powershell -Command "(Invoke-WebRequest -UseBasicParsing
REM https://api.ipify.org -Proxy $null).Content"
REM because ProxyBridge was still intercepting PowerShell's HTTP traffic,
REM so even the classic PowerShell "no proxy" call was being tunneled.
REM v1p1 20261029
REM added nslookup to slip around a well-entrenched proxy which worked
REM because ProxyBridge/Psiphon doesn't proxy UDP DNS queries,
REM so nslookup was finally able to slip around the tunnel.
REM That nslookup DNS trick bypasses ProxyBridge/Psiphon because
REM it's a raw DNS query, not HTTP, to get the true IP.
REM DNS query gives a guaranteed "direct" view of the ISP IP address.
REM v1p2 20261029
REM modified to make the output a single line for simplicity
REM a 1st "for /f" grabs the real ISP IP from the DNS trick.
REM a 2nd "for /f" grabs the Psiphon exit IP via SOCKS5
REM then it compares them for an OK vs FAIL outpout.

@echo off
for /f "tokens=2 delims= " %%A in ('nslookup myip.opendns.com resolver1.opendns.com ^| findstr /R "Address:"') do set ISPIP=%%A
for /f %%A in ('curl -s --socks5 127.0.0.1:1080 https://api.ipify.org') do set PROXYIP=%%A

if "%ISPIP%"=="%PROXYIP%" (
echo Proxy FAIL: both=%ISPIP%
) else (
echo Proxy OK: ISP=%ISPIP% Psiphon=%PROXYIP%
)
pause

:: end of C:\data\sys\batch\checkip.bat
--
I am not here for my ego; nor for my amusement; but to teach & learn.
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: alt.msdos.batch

UPDATE:

It turns out, after I wrote and tested a few tutorials for using proxies
with & without PAC files, that Windows has a few built-in proxy mechanisms.
1. WinINET
2. WinHTTP
3. PAC (proxy auto config)

I'm indebted to Andy Burns for cluing me into PAC files a month ago
because WinINET and WinHTTP are global "all or nothing" proxy mechanisms, whereas the PAC file mechanisms (proxy auto config) allow you to decide,
per request, per app (such as FF) whether to go direct or thru the proxy.

In addition, since a month ago when I knew nothing about proxies, I've
written tutorials on using proxifiers (such as ProxyBridge which Allan
Higdon kindly clued me into) which allow you to choose binaries to proxy.

Some apps (like Firefox) can load a PAC file directly. Others can use it if
you serve it via HTTP and point Windowso system proxy settings at it.

For serving the PAC file, I've written tutorials in the past month using
the free lightweight "mongoose" file server, launched with a vbs script.

I've also written tutorials in the past month on how to use the Tor &
Psiphon & Freegate free ad-free no-registration proxies for your use.

With these methods, we can fine tune which traffic is tunneled thru the
proxy, which stays local, and even chain multiple proxies if needed.
1. WinINET is used by user-facing apps like Internet Explorer,
Edge, Office, and anything that says "Use system proxy settings."
It applies a single proxy setting to those applications.

2. WinHTTP is used by background services, scripts, and some system
components. It has its own separate proxy configuration, and it
also is "all or nothing" just like WinINET is "all or nothing".

3. PAC (Proxy Auto-Config) is used by browsers like Firefox
(and optionally by WinINET if you point Windows to a PAC URL via
a lightweight web server such as I did with mongoose.exe).
A PAC file is a small JavaScript program that decides per request
whether to go direct, use a proxy, or choose between multiple proxies.

With a PAC file, we can tunnel most of our traffic through Psiphon or Tor
(or any SOCKS/HTTPS proxy) while letting sensitive or local sites bypass it automatically. Instead of flipping proxy settings on and off, the PAC file
acts like a traffic cop, routing each request down the right road.

For example, I just wrote, tested, and posted today, moments ago, a
tutorial for setting up Firefox to use a PAC file for all its traffic.

Following this tutorial makes that tunnel about as iron-clad as I can make
it, where I have tested it every way I can think of to ensure it works.
--
Helping others & learning from them is what this Usenet ng is all about.
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: alt.msdos.batch

Marion wrote:

Following this tutorial makes that tunnel about as iron-clad as I can make it, where I have tested it every way I can think of to ensure it works.

Here's a (probably) final summary of the psiphon.bat proxy utility
(as I haven't felt any need to update the script as I've been testing it
by using it all day, every day, for weeks, on my desktop Windows PC).

BTW, the psiphon.bat script is doing more than just launching Psiphon in
SOCKS mode. It is wrapping Psiphon with a set of helpers so that both
WinINET and WinHTTP aware applications can be forced to use the proxy.

Key points of what it does:

1. Elevation
Checks if running as admin, relaunches with UAC if not.

2. PAC serving
Starts mongoose.vbs to serve proxy.pac locally on 127.0.0.1.
https://127.0.0.1/proxy.pac
Waits a couple of seconds to ensure the PAC file is available.
Verifies with curl that proxy.pac is reachable before continuing.

3. Psiphon launch
Starts psiphon3.exe in SOCKS mode, which listens on a local port.
Waits a few seconds for Psiphon to initialize.

4. PAC logic
Logs the event to proxy.log.
Calls pac.cmd to apply PAC logic silently.
Forces registry keys AutoConfigURL and AutoDetect so that IE/WinINET
always point to http://127.0.0.1/proxy.pac and auto-detect is on.

5. WinHTTP sync
Runs netsh winhttp import proxy source=ie so that WinHTTP apps
(like Windows Update or services) inherit the same proxy settings.
This is the step that extends Psiphon's reach beyond WinINET apps.

6. User interaction
Leaves the console open with a pause so you we see output.
Exits without killing the parent shell.

In effect, this script is bridging three layers:
a. Psiphon provides a SOCKS proxy.
b. Mongoose serves a PAC file that tells browsers & apps how to use it.
c. The batch script forces WinINET and WinHTTP to consume that PAC &
syncs them, so both browser traffic & system services are covered.

Compared to the ProxyBridge wrapper, this approach is more about
coaxing Windows' own proxy stacks (WinINET and WinHTTP) into alignment,
whereas ProxyBridge intercepts traffic at the socket level. Both solve
the same problem from different angles making sure all traffic really
goes through the proxy rather than leaking direct.
--
Understanding the issues is important because details are what matter!
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: alt.msdos.batch

ProxyBridge (pb.bat)

Here's a (probably) final summary of the ProxyBridge pb.bat proxy utility
(as I haven't felt any need to update the script as I've been testing it
by using it all day, every day, for weeks, on my desktop Windows PC).

BTW, the pb.bat script is doing more than just launching ProxyBridge
that it adds the functionality I felt was missing from the native tool.

Andy Burns might be right that they removed basic functionality to differentiate their free product tier from their payware after all!

Speaking of Andy Burns, I need to thank him for cluing me in to the
existence of PAC files about a month ago & at the same time I need to thank Allan Higdon for letting me know about ProxyBridge at about the same time.

I knew nothing about either PAC nor ProxyBridge until they suggested them. Starting with their suggestion, I was able to write the psiphon.bat
previously described, and the ProxyBridge wrapper script (pb.bat).

The ProxyBridge (pb.bat) script is essentially a management layer
that adds basic features that I felt ProxyBridge needed, but it lacked.

The pb.bat batch file does four main things:

1. Elevation & setup
Checks for admin rights & re-launches with UAC if needed.
Sets up a log directory & builds a timestamped log filename.

2. Rules handling
Reads rules from rules.txt (or rules_psiphon.txt, rules_tor.txt).
Strips comments & builds a single %PBARGS% string.
This solves ProxyBridge's lack of import/export for rules.

3. Launch & logging
Kills any existing ProxyBridge_CLI.exe process.
Starts ProxyBridge with the defined arguments.
Uses PowerShell Tee-Object to mirror output to console & log file.
Ensures one Ctrl+C cleanly stops ProxyBridge & the batch script.

4. Cleanup & usability
Ensures only one console window is used.
Avoids the "Terminate batch job (Y/N)?" prompt by wrapping in cmd /c.
Provides examples of rules for proxy, block, direct, & port-based
actions, making it easier for others to adopt.

Overall, the ProxyBridge setup is more than just a proxifier in that
it hooks into the Windows networking stack & applies rules per process,
host, port, & protocol.

The script bridges the gap by making ProxyBridge far more practical for
daily use by adding rule persistence, logging, & clean process control.
--
On Usenet you can often find people who know a lot more than you do.
When that happens, it's our job to expand our knowledge from there.
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: alt.msdos.batch

Drat. I found a flaw....


I may need to add privoxy or polipo, as the pac.cmd script helps enforce consistency between WinINET and WinHTTP, but it does not change the
fundamental limitation that WinHTTP cannot speak SOCKS.

1. The pac.cmd script
Forces the AutoConfigURL registry key to point to
http://127.0.0.1/proxy.pac.
Ensures Auto-Detect is enabled.
Calls proxy.cmd /sync so WinINET proxy settings are copied into WinHTTP.
Verifies and re-applies PAC URL and Auto-Detect so they persist.
Logs all of this for traceability.

2. What it cannot do
If the proxy.pac returns "SOCKS 127.0.0.1:1080" then WinINET-aware
apps (like IE or Chrome) can honor that. But WinHTTP ignores SOCKS
directives. It only understands DIRECT or PROXY host:port for HTTP.
So when we run "netsh winhttp import proxy source=ie", WinHTTP
copies only the static HTTP proxy values, not the SOCKS entries
nor the PAC logic.
That means Windows Update and other WinHTTP clients may not tunnel
through Psiphonos SOCKS port just because the PAC is set.

3. What I might add to the tutorial is the use of Privoxy.
Privoxy listens as an HTTP proxy (127.0.0.1:8118).
Then the PAC can return "PROXY 127.0.0.1:8118" for all destinations.
WinINET & WinHTTP both understand that, so all traffic goes to Privoxy.
Privoxy then forwards into Psiphon's SOCKS port, bridging the gap.

So the pac.cmd script is valuable for keeping WinINET and WinHTTP in
sync and making sure the PAC URL is always enforced. But by itself it
does not solve the SOCKS limitation in WinHTTP.

To cover WinHTTP-only apps like Windows Update, we still likely need an HTTP-to-SOCKS bridge such as Privoxy or Polipo, and then have the PAC point
to that bridge.
--
Usenet allows purposefully helpful people to pool their experiences.
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: alt.msdos.batch

HUGE UPDATE:

I finally fixed a huge problem in that I could never (until now) get VPN to work *last* in the chain (i.e., psiphon + proxybridge + VPN) even as VPN worked fine *first* in the chain (i.e., VPN + psiphon + proxybridge).

MULTIPLE problems needed to be identified:
1. Windows TAP adapter race condition ("Waiting for TUN/TAP interface to come up")
2. Psiphon SOCKS5 proxy lacks UDP ASSOCIATE
3. TAP adapter DHCP failures -> APIPA fallback
4. Free VPN server config variability (static IP vs DHCP push)

After solving those problems, finally, VPN works fine on Windows
whether it's the first or the last in the encryption chain of events.

However, initially only two issues seemed to show up which had to be solved:
1. Windows is too slow so we get "Waiting for TUN/TAP interface to come up"
2. The Psiphon SOCKS5 proxy supports TCP ASSOCIATE but not UDP ASSOCIATE

Given that, TCP VPN configs "should" have worked, even as UDP wouldn't work when VPN was last in the chain (i.e., after ProxyBridge was initiated).

What took a while to identify was WHY both UDP & TCP OpenVPN configs failed (where the VPN error for TCP was DIFFERENT than the error for UDP configs).
TCP: "Waiting for TUN/TAP interface to come up"
UDP: AIPA fallback "Initialization Sequence Completed With Errors"

What first needed to be modified in order for both TCP & UDP configs to
work (whether or not VPN was first or last in the encryption chain) was
each OpenVPN config file needed to tell OpenVPN.exe to employ adaptive commands to set up the TAP interface, and to wait longer before route injection occurs.
# Adaptively choose how Windows OpenVPN configures the TAP adapter
ip-win32 adaptive
# Give Windows 10 seconds longer before route injection begins
route-delay 10

In addition to that TAP adapter setup race with route injection, there is
no way around the fact that Psiphon's SOCKS5 proxy doesn't support UDP.

So the Psiphon rules.txt file needed to be modified extensively.

The rules.txt file had to be modified so that OpenVPN traffic
was handled correctly depending on protocol type. Before, both
TCP and UDP configs failed when VPN was placed last in the chain.

Here are the key changes between version 1p7 & 2p0 rules.txt:
a. Explicitly route OpenVPN.exe TCP traffic through Psiphon
Rule added:
openvpn.exe:*:443:TCP -> PROXY
This ensures that TCP VPN configs are proxied through
Psiphon's SOCKS5 tunnel.

b. Explicitly allow OpenVPN.exe UDP traffic to bypass Psiphon
Rule added:
openvpn.exe:*:*:UDP -> DIRECT
Because Psiphon's SOCKS5 proxy does not support UDP ASSOCIATE,
UDP VPN configs must go direct to the server.

c. Allow TAP/DHCP/DNS setup traffic to go DIRECT
Rules added:
svchost.exe:*:53:UDP -> DIRECT
svchost.exe:*:67,68:UDP -> DIRECT
system:*:*:UDP -> DIRECT
These ensure that Windows can perform DNS lookups and DHCP
lease negotiation for the TAP adapter without being blocked
or forced through Psiphon.

d. Block unwanted UDP traffic from browsers and apps
Rules added such as:
chrome.exe:*:443:UDP -> BLOCK
firefox.exe:*:443:UDP -> BLOCK
brave.exe:*:443:UDP -> BLOCK
This prevents browsers from leaking QUIC/UDP traffic outside
the encrypted chain.

e. Maintain TCP direct access for system processes
Rules like:
svchost.exe:*:*:TCP -> DIRECT
services.exe:*:*:TCP -> DIRECT
system:*:*:TCP -> DIRECT
These allow Windows core services to function normally while
keeping user applications proxied.

Here is the current status as of version 2p0 of the rules.txt file:
1. TCP OpenVPN configs now work when VPN is last in the chain,
because their traffic is correctly proxied through Psiphon.
2. UDP OpenVPN configs now work when VPN is last in the chain,
because their traffic bypasses Psiphon and goes direct.
3. TAP adapter setup traffic (DNS, DHCP) is allowed direct, so
Windows no longer fails with APIPA addresses.
4. Browser UDP traffic (QUIC) is blocked, preventing leaks.

The critical changes in rules.txt were:
1. Split handling of OpenVPN.exe traffic: TCP -> PROXY, UDP -> DIRECT.
2. Allow svchost/system UDP traffic direct for TAP setup.
3. Block browser UDP traffic to prevent leaks.
4. Keep system TCP traffic direct for stability.

Together with the OpenVPN config additions
(ip-win32 adaptive + route-delay 10), these rules fixed the
longstanding problem which had prevented VPN from being used after ProxyBridge. Now VPN works reliably whether it is first or last in the encryption chain.

Here is the version 2p0 of the rules.txt file to donate to the team.
# C:\app\network\proxy\proxybridge\rules.txt v1p0 20251023
# This is version 2p0
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# Load this into ProxyBridge using the pb.bat script.
# Syntax: --rule <process>:<hosts>:<ports>:<protocol>:<action>
# Rules are case insensitive, # indicates comments, blank lines ignored.
# v1p1 20251023
# Added useful examples of block, direct & proxy for others to benefit
# Added usable inline comments (requires pb.bat v2p6 or higher to handle)
# v1p2 20251023
# Added usability explanations of dns complexity & QUIC/HTTPS3 issues.
# Added UDP block to handle Brave using experimental protocols above.
# v1p3 20251023
# Added clarification that TCP & UDP rules are not overridden
# v1p4 20251024
# Added Tor SOCKS5 proxy server (in addition to Psiphon's)
# v1p5 20251024
# Note that Tor cannot proxy UDP, so I had to add specific rules for that.
# v1p6 20251025
# Added Chrome, Brave, Edge & FF browser rules due to phoning home.
# v1p7 20251024
# Fixed error that Psiphon doesn't support UDP ASSOCIATE
# This is to avoid proxying UDP (Psiphon doesn't support UDP ASSOCIATE)
# Cleaned up DNS section because DNS via proxy is enabled by default
# v1p8 20251130
# Added DIRECT rules for svchost.exe, route.exe, and system UDP.
# So that TAP setup traffic bypasses ProxyBridge.
# Tunnel traffic (openvpn.exe on TCP 443) still goes through Psiphon.
# This separation allowed DHCP and ARP to succeed but Windows was slow
# to set up the tunnel until I added two directives to TCP config files.
# ip-win32 adaptive
# route-delay = 10
# Remaining issue:
# Even with bypasses, Windows was slow to mark TAP up.
# OpenVPN kept looping "Waiting for TUN/TAP interface to come up"
# v1p9 20251201
# Combined both TCP/UDP cases in a single rules.txt file by
# explicitly allowing UDP traffic from OpenVPN to go DIRECT,
# while still proxying TCP 443 through Psiphon
# Now TCP tunnel traffic is proxied through Psiphon
# While UDP tunnel traffic bypasses ProxyBridge (DIRECT)
# And TAP setup traffic (DHCP, ARP, route injection) is always DIRECT so
# OpenVPN can bring the interface up in time given ProxyBridge delays.
# v2p0 20251201
# The rules bypassed ProxyBridge, but the TAP adapter still failed DHCP.
# Windows gave it a fallback 169.254.x.x address, so OpenVPN reported
# "Completed With Errors." For UDP VPNGate configs to work, they must run
# DIRECT without Psiphon, and the network must allow the TAP adapter
# to obtain a proper 10.x.x.x lease from the VPN server.
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

--proxy socks5://127.0.0.1:1080 # Psiphon local SOCKS5 listener
# --proxy socks5://127.0.0.1:9150 # Tor Browser SOCKS5 listener (optional)

# Applications that should always use the proxy
--rule telegram.exe:*:*:TCP:PROXY
--rule MemoryHogs.exe:*:*:TCP:PROXY
--rule dialog.exe:*:*:TCP:PROXY

# Block QUIC/HTTP3 globally
--rule *:*:443:UDP:BLOCK

# Brave rules
--rule brave.exe:*:*:TCP:PROXY
--rule brave.exe:*:443:UDP:BLOCK
--rule BraveUpdate.exe:*:*:TCP:BLOCK
--rule brave.exe:*:5228:TCP:BLOCK
--rule brave.exe:*:53:UDP:BLOCK

# Chromium rules
--rule chrome.exe:*:*:TCP:PROXY
--rule chrome.exe:*:443:UDP:BLOCK
--rule chrome.exe:*:5228:TCP:BLOCK
--rule chrome.exe:*:53:UDP:BLOCK

# Firefox rules
--rule firefox.exe:*:*:TCP:PROXY
--rule firefox.exe:*:443:UDP:BLOCK

# Block telemetry and unwanted processes
--rule OneDrive.exe:*:*:TCP:BLOCK
--rule CompatTelRunner.exe:*:*:TCP:BLOCK
--rule SearchApp.exe:*:*:TCP:BLOCK

# Core system processes bypass proxy
--rule svchost.exe:*:*:TCP:DIRECT
--rule services.exe:*:*:TCP:DIRECT
--rule system:*:*:TCP:DIRECT

# Utility
--rule curl.exe:*:*:TCP:PROXY

# DNS and TAP setup bypass
--rule svchost.exe:*:53:UDP:DIRECT
--rule svchost.exe:*:67,68:UDP:DIRECT
--rule svchost.exe:*:*:UDP:DIRECT
--rule system:*:*:UDP:DIRECT
--rule route.exe:*:*:TCP:DIRECT
--rule route.exe:*:*:UDP:DIRECT

# OpenVPN rules
--rule openvpn.exe:*:443:TCP:PROXY # TCP tunnel proxied through Psiphon
--rule openvpn.exe:*:*:UDP:DIRECT # UDP tunnel bypasses ProxyBridge
# NOTE: For UDP OpenVPN configs to work, they must run DIRECT without Psiphon,
# and the network must allow the TAP adapter to obtain a proper 10.x.x.x lease.
# Otherwise OpenVPN will report "Initialization Sequence Completed With Errors"
# and the TAP adapter will fall back to a 169.254.x.x APIPA address.

# Log level
--verbose 3

# end of C:\app\network\proxy\proxybridge\rules.txt
--
The point of Usenet is for smart people to help each other & for results
to be archived so that anyone can access our immense tribal knowledge.
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: alt.msdos.batch

Marian wrote:

So the Psiphon rules.txt file needed to be modified extensively.

Correction.

The "ProxyBridge" rules.txt file had to be extensively modified.
[Not the Psiphon rules.txt file (which doesn't exist).]

I never would have started this project of creating a robust proxy on
Windows had I known how many problems would have to be surmounted, but
finally, after a couple of months (elapsed time), it's all resolved.
VPN + {Psiphon/SOCKS5 + ProxyBridge} required extensive modifications
{Psiphon/SOCKS5 + ProxyBridge} + VPN required even more modifications

But it all works well now (although WinHTTP can't use PAC or SOCKS still)
VPN first, Psiphon SOCKS5 proxy second & ProxyBridge last works well now.
Psiphon SOCKS5 proxy first, ProxyBridge second & VPN last works well too.

The fundamental problems first & foremost were not only that Psiphon's
SOCKS5 proxy does not handle UDP tunneling, but that the Windows TAP
adapter (Terminal Access Point) takes time to come up with ProxyBridge.
*Cannot connect OVPN (UDP) through SOCKS5 proxy*
<https://github.com/OpenVPN/openvpn/issues/661>

*What is TAP-Windows Adapter*
<https://www.thewindowsclub.com/tap-windows-adapters-vpn-driver>

In theory, SOCKS5 proxies "should" be able to work with OpenVPN.
*SOCKS5, HTTP, UDP Proxies in OpenVPN*
<https://www.proxyfella.com/2024/11/30/socks5-http-udp-proxies-in-openvpn/>

Each operating system requires DIFFERENT commands to solve these issues.
For example, "ip-win32 adaptive" is a Windows-only OpenVPN directive.

Linux-based operating systems work better than Windows, where, for example,
on Android, Psiphon's tunneling is more complete (TCP + UDP), but Windows support is limited such that some users have resorted to using dns2socks
for DNS resolution (but this has its own inherent problems as noted here).
*psiphon-tun2socks*
<https://github.com/Nebula-Mechanica/psiphon-tun2socks>

Windows is just a lousy platform for networking, it turns out, where, for example, I had to extensively modify Windows just to make it work well.
a. I had to sync WinINET & static WinHTTP proxy settings
b. I had to set AutoConfigURL and AutoDetect registry keys
c. I had to set the PAC file using the Windows registry
d. I had to sync PAC from file:///C:/data/sys/batch/proxy.pac
e. I had to run Mongoose to serve PAC at http://127.0.0.1/proxy.pac
f. I had to route other traffic via SOCKS 127.0.0.1:1080
g. And even then, WinHTTP can't use PAC or SOCKS, so I have to fix that
etc.

Basically, Windows sucks as these things, but one by one we can work around them, which is what the set of files I posted in this thread purport to do.
1. Win+R > psiphon.bat (this starts Psiphon SOCKS5 & syncs the above)
2. Win+R > pb.bat (this starts ProxyBridge which reads in rules.txt)
3. rules.txt (this tells ProxyBridge what to send thru the socks proxy)
4. pac.cmd (this sets a registry key to point to the PAC file)
5. proxy.pac (this sets PAC rules of what domains to skip proxy)
6. launchmongoose.vbs (this locally serves proxy.pac as http & https)
7. Win+R > psiphonstop.bat (this gracefully undoes all of the above setup)

This is a general purpose solution in that it uses 100% freeware so anyone
can run all of the above without cost simply by installing the software.
1. OpenVPN freeware + freely available UDP/TCP OpenVPN config files
2. Psiphon freeware + scripts to sync WinINET + WinHTTP + PAC files
3. ProxyBridge freeware + scripts to add missing rules.txt functionality
4. Mongoose freeware + scripts to serve the localhost PAC file as HTTPS

In summary, this is a complete DIY proxy + VPN system for all Windows executables (whether or not they inherently work with SOCKS5 proxies),
but even now, WinHTTP apps (e.g., Windows update) do not use PAC/SOCKS
and will and will connect directly unless I add something like Polipo.

What I conclude, personally, from this endeavor, is that while everything
you want to accomplish can be done with effort, Windows sucks at this type
of networking. It would have been much easier to do on a Linux-based PC.
--
Everything is possible if you're intelligent, but it's not always worth it.
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: alt.msdos.batch

README.TXT 20251202
===========

Overview
This directory contains scripts and configuration files that work
together to launch, manage and stop a Psiphon based SOCKS5 proxy
environment on Windows. The setup uses Mongoose to serve a PAC file,
batch scripts to apply and reset proxy settings, ProxyBridge to enforce
process specific rules, and supporting files to control behavior. The
goal is to route browser and selected application traffic through
Psiphon while leaving system services and critical networking functions
direct.

Files
-----

psiphon.bat
This batch script launches Mongoose to serve proxy.pac, verifies
availability of the PAC file, then launches Psiphon in SOCKS mode. It
applies PAC logic to WinINET applications such as browsers, forces
registry keys to persist AutoConfigURL and AutoDetect, and syncs WinINET
proxy settings into WinHTTP. It logs activity to proxy.log. It warns
that WinHTTP applications such as Windows Update do not honor PAC or
SOCKS. It suggests using Privoxy or Polipo to bridge SOCKS to HTTP if
WinHTTP apps must be tunneled.

launchmongoose.vbs
This VBScript starts mongoose.exe silently if not already running. It
serves proxy.pac at http://127.0.0.1/proxy.pac. It logs launch attempts
to mongoose.log. It ensures the working directory is set so proxy.pac is
served correctly. It includes tutorial comments for loading PAC files
directly into Firefox using file:/// URLs. It notes that WPAD auto
discovery requires the file to be named wpad.dat and served at
http://wpad.domain/wpad.dat. Localhost proxy.pac works only with manual
configuration.

proxy.pac
This PAC file defines proxy rules. It bypasses Gmail, Google, Amazon,
and Copilot domains with DIRECT connections. All other traffic is routed
through SOCKS 127.0.0.1:1080. This works for WinINET based applications
such as Chrome, Edge, and IE. WinHTTP applications ignore PAC and SOCKS.
The file includes version history and comments explaining split tunnel
behavior. It notes that WPAD clients expect wpad.dat not proxy.pac.

pac.cmd
This script is a helper called automatically from psiphon.bat. It
enforces PAC logic silently. It logs its run, detects if it was called
from psiphon.bat, and then calls proxy.cmd to perform actual
configuration. It checks current PAC URL and AutoDetect status, applies
changes if needed, forces registry keys, and re captures status for
display. It ensures that proxy.cmd reflects correct status immediately.
It is a wrapper around proxy.cmd designed for automation.

proxy.cmd
This script is the diagnostic and configuration tool for proxy settings.
It can be run directly by the user or indirectly by pac.cmd. It supports
flags such as /help, /sync, /nopac, /status, /reset, /silent, or a PAC
URL. It manipulates registry keys under HKCU\Software\Microsoft\Windows\
CurrentVersion\Internet Settings. It can set or clear PAC URLs, enable
or disable AutoDetect, enable or disable static proxy servers. It syncs
WinINET into WinHTTP if needed. It displays detailed status of WinINET,
WinHTTP, and PAC configuration. It logs every invocation to proxy.log.
It is the heavy duty tool that pac.cmd relies on.

psiphonstop.bat
This batch script stops Psiphon and Mongoose if running, resets WinINET
and WinHTTP proxy settings, flushes DNS, resets IP stack, and attempts
Winsock reset with retry logic. It logs shutdown events to proxy.log and
mongoose.log. It exports registry keys before deletion for backup. It
sets ProxyEnable to 0 to force direct access. It clears ProxyOverride.
It resets WinHTTP proxy with netsh winhttp reset proxy. It checks Wi Fi
adapter state before Winsock reset. It logs environment proxy variables.
It reminds the user to clear browser cache and disable proxy extensions.
It ends with a beep to signal completion.

pb.bat
This batch script launches ProxyBridge CLI with rules defined in
rules.txt. It checks for administrator privileges, sets up logging,
reads rules.txt, strips comments, builds arguments, and runs ProxyBridge.
It ensures only one console window is used and that Ctrl+C stops
ProxyBridge cleanly. It logs output to timestamped files. It is designed
to enforce process specific proxy rules using Psiphon or Tor SOCKS5
listeners. It is a wrapper around ProxyBridge CLI for usability and
persistence.

rules.txt
This file defines ProxyBridge rules. It sets Psiphon SOCKS5 at
127.0.0.1:1080 as the default proxy. It forces browsers such as Brave,
Chrome, and Firefox to use the proxy for TCP traffic and blocks UDP
QUIC. It blocks telemetry processes such as OneDrive and CompatTelRunner.
It bypasses core system processes such as svchost.exe, services.exe, and
system to ensure DNS, DHCP, ARP, and TAP setup traffic go direct. It
proxies OpenVPN TCP 443 traffic through Psiphon but allows UDP tunnel
traffic direct. It logs at verbose level 3. It notes that UDP based VPN
configs must run direct without Psiphon.

Note that VPN can be run either before or after ProxyBridge now, i.e.,
VPN + {Psiphon/SOCKS5 + ProxyBridge/rules.txt} always worked fine
{Psiphon/SOCKS5 + ProxyBridge/rules.ext} + VPN now also works fine

Behavior Summary
----------------
Browsers using WinINET such as Chrome, Edge, IE, and Opera will honor
proxy.pac and route traffic through Psiphon SOCKS except for domains
explicitly bypassed. Firefox requires manual configuration or use of
system proxy settings. WinHTTP applications such as Windows Update and
Microsoft Store do not honor PAC or SOCKS and will connect direct unless
an HTTP to SOCKS bridge is used. Command line tools (such as curl and git)
ignore WinINET PAC unless configured with environment variables.
ProxyBridge enforces process specific rules to ensure selected apps are
tunneled while system services remain direct.

Limitations
-----------
WinHTTP does not support PAC or SOCKS. Windows Update and other system
services will not use Psiphon under this setup. UDP traffic cannot be
proxied through Psiphon SOCKS. WPAD auto discovery requires wpad.dat
served at http://wpad.domain/wpad.dat. Localhost proxy.pac works only
with manual configuration. Environment variables such as HTTP_PROXY may
still affect command line tools unless cleared. ProxyBridge rules must
explicitly list each application to be tunneled. Applications not listed
will connect direct.

Conclusion
----------
This environment provides a controlled way to route browser and selected
application traffic through Psiphon while leaving system services direct.
It uses Mongoose to serve PAC, batch scripts pac.cmd and proxy.cmd to
apply and reset proxy settings, and ProxyBridge with rules.txt to enforce
process specific behavior. For full coverage, including WinHTTP programs,
an HTTP to SOCKS bridge (such as Privoxy or Polipo) is likely required.
--- Synchronet 3.21a-Linux NewsLink 1.2